Skip to content

CSP for Giosg services

If your website is using Content-Security-Policy header to ensure security for your clients, you'll need to modify it for giosg services to work.

The following domains are required to be included in CSP header:

  • *.giosg.com
  • *.giosgusercontent.com
  • *.interactionbuilder.giosg.com
  • *.mux.com (for videos in interaction)

Required CSP domains for Giosg services

The following CSP part makes giosg services functional on your website:

1
2
3
4
5
6
7
default-src https://*.giosg.com https://*.giosgusercontent.com https://*.interactionbuilder.giosg.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com https://*.interactionbuilder.giosg.com;
connect-src https://*.giosg.com https://*.giosgusercontent.com https://*.mux.com wss://service.giosg.com;
img-src https://*.giosgusercontent.com;
style-src 'unsafe-inline' https://*.giosg.com https://*.giosgusercontent.com;
frame-src https://*.giosg.com https://*.giosgusercontent.com;
media-src blob:;

Note that if you don't have a CSP part, as connect-src already present on your website, it will use default-src as a fallback. So, merge default-src without exceptions AND merge those parts which are already present on your website.

If you only want to allow usage of all giosg products and nothing else, you can use the following CSP policy. 

1
default-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com https://*.interactions.giosgusercontent.com https://*.interactionbuilder.giosg.com https://*.clients.giosgusercontent.com https://*.mux.com blob:;

Note that the required CSP policies may change. We would recommend contacting our customer engagement to inform them that you are applying csp headers so that we can inform you in case that we change them.

Example usage of a CSP header

To make your own CSP, you'll need to merge Giosg-recommended CSP with your own. And then send the policy in your backend. Below is example how to do it in python http.server:

1
self.send_header('Content-Security-Policy', "default-src https://...")