Content Security Policy (CSP) Settings for Beacon

If your website or web-based app utilizes a Content Security Policy header and you would like to Add Beacon to Your Website or App, you will need allow additional sources for Beacon to work correctly. 

Note: If your organization requires a stricter CSP and these allowances do not conform to your organization's overall security policies, you may not be able to use Beacon on your site or web-based app. 

Beacon supports the use of strict CSP level 3 — add the random nonce to the script tag in your Beacon code to allow it. 

Content-Security-Policy:
    object-src 'none';
    script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
    base-uri 'none';
    report-uri https://your-report-collector.example.com

If you are using CSP levels 1 or 2 then the following entries will need to be added for Beacon to function properly on your website:

connect-src:
    https://beaconapi.helpscout.net
    https://chatapi.helpscout.net
    https://d3hb14vkzrxvla.cloudfront.net
    wss://*.pusher.com 
    *.sumologic.com
child-src: // only needed if your Docs content includes any of the video sources below
    https://www.youtube.com
    https://player.vimeo.com
    https://fast.wistia.net
    https://www.loom.com
    https://share.getcloudapp.com
style-src:
    'unsafe-inline'
    https://fonts.googleapis.com
    https://beacon-v2.helpscout.net
font-src:
    data:
    https://fonts.gstatic.com
    https://beacon-v2.helpscout.net
base-uri:
    https://docs.helpscout.net
script-src:
    'unsafe-inline'
    https://beacon-v2.helpscout.net
frame-src:
    https://beacon-v2.helpscout.net
object-src:
    https://beacon-v2.helpscout.net
img-src:
    https://*.gravatar.com
    https://beacon-v2.helpscout.net
    https://d33v4339jhl8k0.cloudfront.net
    https://chatapi-prod.s3.amazonaws.com/
media-src:
    https://beacon-v2.helpscout.net