Content Security Policies (CSP) are delivered as headers to your users' browser by your web-server and they are used to declare which dynamic resources are allowed to load on your page. By specifying approved sources, you can protect your visitors from a whole range of issues but this does require the site administrator to maintain an up-to-date list of approved sources.

Simply declaring that scripts/styles from only your own domain and that of any tools that you are using are allowed will, in most cases, be sufficient, but for sites using external resources, a set of more complex directives may be necessary. For Feefo, choose one of the following:

Option 1

The simplest option to allow Feefo integration widgets to run within a site implementing a CSP policy is to append the following values to your existing default-src directive:

https://*.feefo.com https://*.vzaar.com data: 'unsafe-eval' 'unsafe-inline'

Option 2

If you would like stricter conditions, append each of the following sets of CSP values to the appropriate directive (shown in italics):

script-src

https://*.feefo.com 'unsafe-eval' 'unsafe-inline';

connect-src

https://*.feefo.com;

img-src

data: https://*.feefo.com https://*.vzaar.com;

font-src

data:;

media-src

https://*.vzaar.com https://*.feefo.com;

Option 3

To apply the strictest CSP conditions but still allow our integration widgets to run, append the following values to the directives (shown in italics):

script-src

https://register.feefo.com https://api.feefo.com/api/javascript/your_Feefo_merchant_identifier 'unsafe-eval' 'unsafe-inline';

connect-src

https://api.feefo.com;

img-src

data: https://api.feefo.com https://www.feefo.com https://view.vzaar.com https://resources.vzaar.com;

font-src

data:;

media-src

https://video.vzaar.com https://view.vzaar.com;

Notes:

  • When appending values to an existing set of directives, ensure that values are not duplicated.
  • Vzaar are Feefo's video hosting provider. 
  • For details of your_Feefo_merchant_identifier see Where to find my merchant identifier?