Content Security Policy (CSP) for Qrvey Integrations
A Content Security Policy (CSP) is a browser security mechanism that helps protect applications from attacks such as Cross-Site Scripting (XSS) and data injection.
Qrvey widgets and applications work normally without requiring a CSP configuration. However, if your organization enforces a strict CSP, you must explicitly allow Qrvey resources so that embedded widgets and content can load and function properly.
This article provides the recommended directives to safely support Qrvey in environments with restrictive CSP policies.
Base CSP Example
Below is the base policy configuration you can use as a starting point:
default-src 'self';
img-src 'self' data: blob:;
script-src 'self' 'unsafe-inline' QRVEYINSTANCE.qrveyapp.com;
worker-src blob:;
style-src 'self' 'unsafe-inline' fonts.googleapis.com QRVEYINSTANCE.qrveyapp.com;
font-src 'self' fonts.gstatic.com QRVEYINSTANCE.qrveyapp.com;
connect-src 'self' QRVEYINSTANCE.qrveyapp.com wss://QRVEYINSTANCE.qrveyapp.com maps.geo.us-east-1.amazonaws.com tiles.openfreemap.org;
media-src 'self' data: blob:;
frame-src 'self' blob:;
Replacing QRVEYINSTANCE
Replace all occurrences of QRVEYINSTANCE.qrveyapp.com with the actual domain where your Qrvey platform is hosted.
This can be:
- The Qrvey-managed instance domain assigned to your organization, or
- A fully custom domain (e.g.,
analytics.customerdomain.com) configured for your deployment.
⚠️ Important:
The QRVEYINSTANCE value must always match the domain where Qrvey is installed and from which your widgets are being loaded.
If your instance runs on a subdomain or a custom URL, use that exact domain.
Directive Details
| Directive | Description |
|---|---|
| default-src 'self' | Sets the default content source to your own domain. |
| img-src 'self' data: blob: | Allows loading of images from your domain, inline image data, or blob URLs. |
| script-src 'self' 'unsafe-inline' QRVEYINSTANCE.qrveyapp.com | Permits scripts from your domain and from your Qrvey instance. Required for widget initialization and execution. |
| worker-src blob: | Allows web workers from blob URLs, required for background operations. |
| style-src 'self' 'unsafe-inline' fonts.googleapis.com QRVEYINSTANCE.qrveyapp.com | Enables inline styles and stylesheets from Qrvey and Google Fonts. Inline styles are needed for widget theming. |
| font-src 'self' fonts.gstatic.com QRVEYINSTANCE.qrveyapp.com | Allows font loading from Qrvey and Google Fonts. |
| connect-src 'self' QRVEYINSTANCE.qrveyapp.com wss://QRVEYINSTANCE.qrveyapp.com maps.geo.us-east-1.amazonaws.com tiles.openfreemap.org | Permits API calls and WebSocket connections to Qrvey and other supported services. |
| media-src 'self' data: blob: | Allows embedded media content to load from secure sources. |
| frame-src 'self' blob: | Enables blob-based iframes used by some visualizations. |
Important Notes
- CSP configuration is only required if your system enforces a Content Security Policy. If you do not use CSP, Qrvey will work as expected without changes.
- The
'unsafe-inline'keyword understyle-srcandscript-srcis required for inline widget styling and initialization.
Common Scenarios
| Situation | Example Adjustment |
|---|---|
| Using Qrvey-managed instance | Replace QRVEYINSTANCE.qrveyapp.com with the exact domain provided by Qrvey for your environment. |
| Using custom domain | Replace QRVEYINSTANCE.qrveyapp.com with your custom domain, e.g., analytics.customerdomain.com. |
| Strict CSP enforcement | Ensure all required Qrvey domains, WebSocket URLs, and optional endpoints are added under their respective directives. |
Summary
This CSP configuration ensures that Qrvey’s embedded components and widgets operate correctly in environments with strict content security restrictions. If your organization does not use CSP, no additional configuration is required.