Content Security Policy

This tutorial refers to Userlike’s live chat product. For Userlike’s Unified Messaging (beta) tutorials, click here.

Intro

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

If you use CSP on your website, you need to add one of the following rules to make Userlike work.

Rule with font loading

Use this CSP rule when you intend to use custom webfonts in the Chat Widget.

connect-src wss://chat.userlike.com chat.userlike.com api.userlike.com;
font-src data: dq4irj27fs462.cloudfront.net fonts.gstatic.com;
img-src data: api.userlike.com userlike-cdn-operators.s3-eu-west-1.amazonaws.com dq4irj27fs462.cloudfront.net;
media-src dq4irj27fs462.cloudfront.net;
object-src 'none';
script-src 'self' ajax.googleapis.com api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com dq4irj27fs462.cloudfront.net;
style-src data: 'unsafe-inline' fonts.googleapis.com

Rule without font loading

Use this CSP rule when you intend to use system fonts in the Chat Widget.

connect-src wss://chat.userlike.com chat.userlike.com api.userlike.com;
img-src data: api.userlike.com userlike-cdn-operators.s3-eu-west-1.amazonaws.com dq4irj27fs462.cloudfront.net;
media-src dq4irj27fs462.cloudfront.net;
object-src 'none';
script-src 'self' ajax.googleapis.com api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com dq4irj27fs462.cloudfront.net;
style-src data: 'unsafe-inline' fonts.googleapis.com