You want to display Screeb surveys while being sure your app is secured and protected against injection attacks, here's how to make Screeb compatible with your Content Security Policy (CSP).


First of all, to ensure no breaking in the way Screeb will work in your app, we recommend you to use the default-src directive (the "default-src" serving as a fallback for all the other directives), and not each one individual of the CSP directives ("connect-src", "object-src", "script-src", "frame-src", "script-src", "style-src", "font-src", ...).

Domains to allow

Screeb uses two protocols to work: HTTPS and WSS. So you need to allow those 2 domains for Screeb to be displayed in your app:


One you've done that, your surveys will be displayed correctly in your app while respecting your CSP.

Your CSP

So your CSP should - at least - look like this:

default-src 'unsafe-inline' https://* wss://*

And don't forget to add your own domains.

An example

So for example, if you already allowed and, you will go from:

content-security-policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'self'; report-uri /csp-violation-report; frame-ancestors 'self'


content-security-policy: default-src https: 'unsafe-eval' 'unsafe-inline' https://* wss://*; object-src 'self'; report-uri /csp-violation-report; frame-ancestors 'self'
Did this answer your question?