Content Security Policies (CSP) are delivered as headers to your users' browser by your web-server and they are used to declare which dynamic resources are allowed to load on your page. By specifying approved sources, you can protect your visitors from a whole range of issues but this does require the site administrator to maintain an up-to-date list of approved sources.
Simply declaring that scripts/styles from only your own domain and that of any tools that you are using are allowed will, in most cases, be sufficient, but for sites using external resources, a set of more complex directives may be necessary. For Feefo, choose one of the following:
The simplest option to allow Feefo integration widgets to run within a site implementing a CSP policy is to append the following values to your existing default-src directive:
https://*.feefo.com https://*.vzaar.com data: 'unsafe-eval' 'unsafe-inline'
If you would like stricter conditions, append each of the following sets of CSP values to the appropriate directive (shown in italics):
https://*.feefo.com 'unsafe-eval' 'unsafe-inline';
data: https://*.feefo.com https://*.vzaar.com;
To apply the strictest CSP conditions but still allow our integration widgets to run, append the following values to the directives (shown in italics):
data: https://api.feefo.com https://www.feefo.com https://view.vzaar.com https://resources.vzaar.com;
- When appending values to an existing set of directives, ensure that values are not duplicated.
- Vzaar are Feefo's video hosting provider.
- For details of your_Feefo_merchant_identifier see Where to find my merchant identifier?