Content Security Policy (CSP) is a header sent by the web server to the browser.
It is used to declare which dynamic resources can load on your site.
The CSP allows you to create a list of directives specifying which external resources (or scripts) can be used in your application. This restriction is meant to prevent XSS attacks that attach scripts loaded from other network locations to page sources. Any resources that do not match the policy will be rejected by the browser, and the browser itself will report a policy rule violation error.
If you detect CSP errors on your site, your development team or hosting provider
hosting provider will need to adjust the CSP settings.
Adjusting CSP settings
Step 1 - Check for CSP errors
If you are seeing problems displaying a survey on your website, sometimes it may be due to a CSP error. You can check your browser's console for errors. If you don't know how to do this use this guide.
If there is a problem with the Content Security Policy, you will see an error similar to the one below:
Step 2 - Consult your developer or hosting provider to adjust CSP settings
Since all servers are different, the Webankieta support team will not be able to help resolve these issues beyond determining if there is a CSP error. When making changes to content security policies, the best person to contact is the web application developer or the person who manages your site.
Step 3 - Choose your CSP settings
Below is the set of rules you need to add to allow your survey to work properly on your website.
The colon (...) in the examples below is a replacement symbol for any existing rules you already have:
script-src ... https://*.startquestion.com 'unsafe-inline' 'unsafe-eval'
img-src ... https://*.webankieta.pl https://*.startquestion.com data:
style-src ... 'unsafe-inline'
connect-src ... https://*.startquestion.com;
However, if you need more detailed entries:
script-src ... https://library.startquestion.com https://app.startquestion.com
img-src ... https://files.webankieta.pl https://files.startquestion.com data:
style-src ... 'unsafe-inline'
connect-src ... https://app.startquestion.com;`
If you omit the value of
unsafe-eval , in the
script-src directive, surveys that have the rule
If the unsafe-inline value cannot be added to the script-src directive, we encourage you to use the nonce value protection according to this guide.
Adding the 'nonce' value
To add the 'nonce' value to the widget code, you need to modify our snippet. The 'nonce' value needs to be added to the two places shown in the following screenshot:
Description: In the above example, we generated a one-time value of '6JDFIvPbrWANKpSJ8vlv6b==' for the 'nonce' attribute.
In order for the 'nonce' solution to be secure, it is important to remember that the value of 'nonce:
- must be different every time you refresh the page,
- must be long enough (at least 128 bits),
- should be generated using a cryptographically secure pseudo-random number generator.