Content Security Policies

A Content Security Policy (CSP) allows you to list trusted external and internal scripts, styles, images and other content sources.

These are implemented via a HTTP response header named “content-security-policy”. You can see an example of this below:

CSP_1.png

If your domain utilises policy directives such as:

  • default-src,
  • script-src,
  • connect-src 
  • img-src

You will need to authenticate several SessionCam environments to allow us to serve scripts which monitor and record user interaction.

You can find these listed below:

  1. https://*.sessioncam.com
  2. https://d2oh4tlt9mrke9.cloudfront.net
  3. ws://*.sessioncam.com
  4. wss://*.sessioncam.com

If you use any experimental CSP directives, the above domains may also need adding to these; accessing your the network events within your browser's developer tools will highlight these, if so.

As we can sometimes deploy code via strings in our script, we ask that you add 'unsafe-eval' to the directives.

You can see an example of a updated Content Security Policy below:
Content-Security-Policy: default-src 'self' 'unsafe-eval' https://*.sessioncam.com https://d2oh4tlt9mrke9.cloudfront.net ws://*.sessioncam.com wss://*.sessioncam.com;