Using GoSquared with Content-Security-Policy

The Content-Security-Policy standard allows websites to specify a set of rules governing how content such as scripts may run.

The GoSquared JavaScript snipped and Assistant, being third-party JavaScript, will need to be included in your CSP directives if you wish to use GoSquared on pages served with CSP headers.

If you are already using CSP with Google's recommended Strict CSP standard, then GoSquared will work without any additional changes to your policy.

If you wish to explicitly set a more strict CSP standard, the following directives are the minimum required for GoSquared to work correctly:

script-src
  https://d1l6p2sc9645hc.cloudfront.net
  https://*.gosquared.com
  https://js.gs-chat.com;
img-src
  blob:
  https://img.gs-chat.com
  https://avatars.gosquared.com
  https://secure.gravatar.com
  https://uploads.gs-chat.com;
connect-src
  wss://gs-ws.com
  https://api.gosquared.com
  https://metrics.gs-chat.com
  https://gschat-uploads.s3-accelerate.amazonaws.com;
style-src
  'unsafe-inline';
media-src
  data:
  https://static.gosquared.com

If you are not using GoSquared Chat, then only the following is required

script-src: https://d1l6p2sc9645hc.cloudfront.net https://*.gosquared.com

If you are serving pages via HTTP as well as HTTPS, both instances of https:// should be removed from this.

This list is liable to change as we release updates to the GoSquared JavaScript snippet and Assitant, so we recommend that you check this page regularly for changes. We also recommend subscribing to developer updates in your email preferences, which we will use to communicate updates wherever possible.

Did you find this article helpful?