Using GoSquared with Content-Security-Policy
Last updated: 26th June, 2018
The Content-Security-Policy standard allows websites to specify a set of rules governing how content such as scripts may run.
If you are already using CSP with Google's recommended Strict CSP standard, then GoSquared will work without any additional changes to your policy.
If you wish to explicitly set a more strict CSP standard, the following directives are the minimum required for GoSquared to work correctly:
script-src https://d1l6p2sc9645hc.cloudfront.net https://*.gosquared.com https://js.gs-chat.com; img-src blob: https://img.gs-chat.com https://avatars.gosquared.com https://secure.gravatar.com https://uploads.gs-chat.com; connect-src wss://gs-ws.com https://api.gosquared.com https://metrics.gs-chat.com https://gschat-uploads.s3-accelerate.amazonaws.com; style-src 'unsafe-inline'; media-src data: https://static.gosquared.com
If you are not using GoSquared Chat, then only the following is required
script-src: https://d1l6p2sc9645hc.cloudfront.net https://*.gosquared.com
If you are serving pages via HTTP as well as HTTPS, both instances of
https:// should be removed from this.