Content Security Policy (CSP) Settings for Beacon
If your website or web-based app utilizes a Content Security Policy header and you would like to Add Beacon to Your Website or App, you will need allow additional sources for Beacon to work correctly.
Note: If your organization requires a stricter CSP and these allowances do not conform to your organization's overall security policies, you may not be able to use Beacon on your site or web-based app.
Beacon supports the use of strict CSP level 3 — add the random nonce to the script tag in your Beacon code to allow it.
Content-Security-Policy: object-src 'none'; script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; base-uri 'none'; report-uri https://your-report-collector.example.com
If you are using CSP levels 1 or 2 then the following entries will need to be added for Beacon to function properly on your website:
connect-src: https://beaconapi.helpscout.net https://chatapi.helpscout.net https://d3hb14vkzrxvla.cloudfront.net wss://*.pusher.com *.sumologic.com child-src: // only needed if your Docs content includes any of the video sources below https://www.youtube.com https://player.vimeo.com https://fast.wistia.net https://www.loom.com https://share.getcloudapp.com style-src: 'unsafe-inline' https://fonts.googleapis.com https://beacon-v2.helpscout.net font-src: data: https://fonts.gstatic.com https://beacon-v2.helpscout.net base-uri: https://docs.helpscout.net script-src: 'unsafe-inline' https://beacon-v2.helpscout.net frame-src: https://beacon-v2.helpscout.net object-src: https://beacon-v2.helpscout.net img-src: https://*.gravatar.com https://beacon-v2.helpscout.net https://d33v4339jhl8k0.cloudfront.net https://chatapi-prod.s3.amazonaws.com/ media-src: https://beacon-v2.helpscout.net