Content Security Policy

Intro

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

If you use CSP on your website, you need to add one of the following rules to make Userlike work.

Rule with font loading

Use this CSP rule when you intend to use custom webfonts in the Website Messenger.

child-src 'self' api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com d3dc1lgancj6l0.cloudfront.net blob:;
connect-src wss://umd.userlike.com umd.userlike.com api.userlike.com d3upe020n1uosc.cloudfront.net www.userlike.com blob:;
font-src data: d3dc1lgancj6l0.cloudfront.net fonts.gstatic.com;
frame-src 'self' api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com d3dc1lgancj6l0.cloudfront.net www.youtube.com player.vimeo.com;
img-src data: userlike-cdn-operators.s3-eu-west-1.amazonaws.com d3upe020n1uosc.cloudfront.net www.userlike.com userlike-store-media-files.s3.amazonaws.com i.ytimg.com;
media-src d3dc1lgancj6l0.cloudfront.net userlike-store-media-files.s3.amazonaws.com www.userlike.com blob:;
object-src 'none';
script-src 'self' 'unsafe-inline' api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com d3dc1lgancj6l0.cloudfront.net

Rule without font loading

Use this CSP rule when you intend to use system fonts in the Website Messenger.

child-src 'self' api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com d3dc1lgancj6l0.cloudfront.net blob:;
connect-src wss://umd.userlike.com umd.userlike.com api.userlike.com d3upe020n1uosc.cloudfront.net www.userlike.com blob:;
frame-src 'self' api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com d3dc1lgancj6l0.cloudfront.net www.youtube.com player.vimeo.com;
img-src data: userlike-cdn-operators.s3-eu-west-1.amazonaws.com d3upe020n1uosc.cloudfront.net www.userlike.com userlike-store-media-files.s3.amazonaws.com i.ytimg.com;
media-src d3dc1lgancj6l0.cloudfront.net userlike-store-media-files.s3.amazonaws.com www.userlike.com blob:;
object-src 'none';
script-src 'self' 'unsafe-inline' api.userlike.com userlike-cdn-widgets.s3-eu-west-1.amazonaws.com d3dc1lgancj6l0.cloudfront.net