Content Security Policy (CSP) is a security mechanism that tells the client browser which actions and resources are allowed or disallowed within a webpage. It's an advanced technique that can help preventing attacks on your customers but requires some attention when including third-party resources such as the coview snippet.
CSP is not required
If you do not use this security mechanism, no further steps are required for coview to work.
Make sure to include the following elements in your settings, together with what your site already uses:
Content-Security-Policy: script-src 'self' *.coview.com; style-src 'self' *.coview.com 'unsafe-inline'; img-src data: *.coview.com;
The initial coview snippet code needs to run and load the main functionality from our servers.
Static script tags
You can use the
'sha256-' whitelist mechanism to specifically allow the coview snippet if you embed it via static
<script>[..]</script> tags and do not have
Hint: Chrome/Chromium helpfully includes the necessary hash in it's error message so you don't have to compute it.
Our scripts need to do some local changes and load regular CSS stylesheets from our servers.
We need to display small images transported via the
data: mechanism as well as others which are loaded from our servers.
Documentation - work in progress
We will soon extend this documentation.
If you're stuck anywhere, feel free to contact our support.
CSP has a helpful
Content-Security-Policy-Report-Only mode in which browsers only report, but do not block elements that are classified as problematic. The relevant errors can be found in the browser error console.
This prevents any functional issues during testing but does not provide the protection CSP normally offers, so take care when enabling it in a production environment.
CSP can be a complicated subject and this guide only covers the basics related to coview.
We recommend https://content-security-policy.com and https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for further reading.