Using GoSquared with Content-Security-Policy
Last updated: 4th April, 2021
🎓 The Content-Security-Policy standard allows websites to specify a set of rules governing how content such as scripts may run.
The GoSquared JavaScript snipped and Assistant, being third-party JavaScript, will need to be included in your CSP directives if you wish to use GoSquared on pages served with CSP headers.
If you are already using CSP with Google's recommended Strict CSP standard, then GoSquared will work without any additional changes to your policy.
If you wish to explicitly set a more strict CSP standard, the following directives are the minimum required for GoSquared to work correctly:
script-src
https://d1l6p2sc9645hc.cloudfront.net
https://*.gosquared.com
https://js.gs-chat.com;
img-src
blob:
data:
https://img.gs-chat.com
https://avatars.gosquared.com
https://secure.gravatar.com
https://uploads.gs-chat.com;
connect-src
wss://gs-ws.com
https://api.gosquared.com
https://api-cdn.gosquared.com
https://metrics.gs-chat.com
https://gschat-uploads.s3-accelerate.amazonaws.com;
style-src
'unsafe-inline';
media-src
data:
https://static.gosquared.com;
font-src
https://static.gosquared.com
If you are not using GoSquared Chat, then only the following is required
script-src: https://d1l6p2sc9645hc.cloudfront.net https://*.gosquared.com
If you are serving pages via HTTP as well as HTTPS, both instances of https://
should be removed from this.
This list is liable to change as we release updates to the GoSquared JavaScript snippet and Assistant, so we recommend that you check this page regularly for changes. We also recommend subscribing to developer updates in your email preferences, which we will use to communicate updates wherever possible.