Content Security Policy (CSP)


Content Security Policy is a security mechanism that adds an extra layer of protection to your application and helps to mitigate XSS and data injection attacks. In this article, you'll learn how to configure your existing CSP response header to play well with the Coview snippet.


CSP is not required

If you aren't sending a CSP header at the moment, you can skip this section - Coview would work perfectly well without it.

Configuration (short)

To allow Coview on your website, integrate the following policies into your existing CSP header definition:

  script-src: 'self' *;
  connect-src 'self' *;
  style-src: 'self' * 'unsafe-inline';
  img-src data: *;
  font-src 'self' *;
  media-src 'self' *;
  frame-src 'self' *;

Configuration (extended)

CSP acts a bit like a firewall: once rules are defined, it blocks certain categories of network requests that do not fit to those rules.

The details and full configuration of the CSP rules depends not just on your own page (e.g., 'self'), but also on other media services, apps and widgets that you include on your website. This varies between Coview customers, for example with regards to Intercom.
Consequentially, the configuration mentioned above is meant as a minimal guideline that shows which rules the Coview app requires to work. The definition example should be used to extend (not replace!) your current definitions.


This policy allows the browser to download the snippet code from our servers.


Inline scripts

If you absolutely must use a script tag, make sure to whitelist it either by adding a nonce or a hash attribute to it.

It's worth noting that Chromium based browsers automatically computes missing hashes for each inline script and outputs them to the console.

This allows the widget code to communicate with our servers.

This property permits the browser to load regular CSS stylesheets from our servers and apply changes via a style tag.

This policy makes it possible for our servers to deliver images, for example support agent avatars.

This policy permits loading of fonts from our servers.

Permit audio and video elements in our content.

This allows iframes for our content.

Testing and monitoring

CSP has a Content-Security-Policy-Report-Only mode which instructs browser to only report suspicious requests without actually blocking anything. All relevant errors can be found in the browser's JS console. Take extra care when switching this mode on in a production environment.

Learn more