Content Security Policy


Content Security Policy (CSP) is a security mechanism that tells the client browser which actions and resources are allowed or disallowed within a webpage. It's an advanced technique that can help preventing attacks on your customers but requires some attention when including third-party resources such as the coview snippet.

CSP is not required

If you do not use this security mechanism, no further steps are required for coview to work.

Using coview with CSP

Make sure to include the following elements in your settings, together with what your site already uses:

script-src 'self' *;
style-src 'self' * 'unsafe-inline';
img-src data: *;



The initial coview snippet code needs to run and load the main functionality from our servers.

Static script tags

You can use the 'sha256-' whitelist mechanism to specifically allow the coview snippet if you embed it via static <script>[..]</script> tags and do not have 'unsafe-inline'.
Hint: Chrome/Chromium helpfully includes the necessary hash in it's error message so you don't have to compute it.


Our scripts need to do some local changes and load regular CSS stylesheets from our servers.


We need to display small images transported via the data: mechanism as well as others which are loaded from our servers.

Documentation - work in progress

We will soon extend this documentation.
If you're stuck anywhere, feel free to contact our support.

Testing the CSP settings

CSP has a helpful Content-Security-Policy-Report-Only mode in which browsers only report, but do not block elements that are classified as problematic. The relevant errors can be found in the browser error console.

This prevents any functional issues during testing but does not provide the protection CSP normally offers, so take care when enabling it in a production environment.

Advanced considerations

CSP can be a complicated subject and this guide only covers the basics related to coview.
We recommend and for further reading.

Updated 6 months ago

Content Security Policy

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.