Skip to main content
All CollectionsGetting Started with Screeb
Using Screeb with Content Security Policy
Using Screeb with Content Security Policy

All Screeb domains you'll need to allow in your CSP

Simon Robic avatar
Written by Simon Robic
Updated over 2 months ago

You want to display Screeb surveys while being sure your app is secured and protected against injection attacks, here's how to make Screeb compatible with your Content Security Policy (CSP).

Default-src

First of all, to ensure no breaking in the way Screeb will work in your app, we recommend you to use the default-src directive (the "default-src" serving as a fallback for all the other directives), and not each one individual of the CSP directives ("connect-src", "object-src", "script-src", "frame-src", "script-src", "style-src", "font-src", ...).

Domains to allow

Screeb uses two protocols to work: HTTPS and WSS. So you need to allow those 2 domains for Screeb to be displayed in your app:

https://*.screeb.app
wss://*.screeb.app

One you've done that, your surveys will be displayed correctly in your app while respecting your CSP.

Your CSP

So your CSP should - at least - look like this:

default-src 'unsafe-inline' https://*.screeb.app wss://*.screeb.app; prefetch-src https://*.screeb.app; media-src https://*.screeb.app; font-src blob:

And don't forget to add your domains.

An example

So for example, if you already allowed admin.example.com and vip.example.com, you will go from:

content-security-policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'self'; report-uri /csp-violation-report; frame-ancestors 'self' https://admin.example.com https://vip.example.com

To:

content-security-policy: default-src https: 'unsafe-eval' 'unsafe-inline' https://*.screeb.app wss://*.screeb.app; object-src 'self'; report-uri /csp-violation-report; frame-ancestors 'self' https://admin.example.com https://vip.example.com; prefetch-src https://*.screeb.app; media-src https://*.screeb.app; font-src blob:

Questions of type "Calendar"

Screeb allows its users to create a question of type Calendar, to invite users to book a meeting. Many tools can be used, such as Calendly, Google Appointments...

This feature opens an iframe in your web app during the survey. If so, please authorize the domain of your third-party application:

Example:

iframe-src https://calendar.google.com

Did this answer your question?