Content Security Policy (CSP) for Qrvey Integrations
The Content Security Policy (CSP) serves as a browser security mechanism to help protect applications from attacks such as Cross-Site Scripting (XSS) and data injection.
Qrvey widgets and applications work normally without requiring a CSP configuration. However, if your organization enforces a strict CSP, you must explicitly allow Qrvey resources so that embedded widgets and content can load and function properly.
This article provides the recommended directives to safely support Qrvey in environments with restrictive CSP policies.
Base CSP Example
You can use the following base policy configuration as a starting point:
default-src 'self';
img-src 'self' data: blob:;
script-src 'self' 'unsafe-inline' QRVEYINSTANCE.qrveyapp.com;
worker-src blob:;
style-src 'self' 'unsafe-inline' fonts.googleapis.com QRVEYINSTANCE.qrveyapp.com;
font-src 'self' fonts.gstatic.com QRVEYINSTANCE.qrveyapp.com;
connect-src 'self' QRVEYINSTANCE.qrveyapp.com wss://QRVEYINSTANCE.qrveyapp.com maps.geo.us-east-1.amazonaws.com tiles.openfreemap.org;
media-src 'self' data: blob:;
frame-src 'self' blob:;
Replace QRVEYINSTANCE
Replace all occurrences of QRVEYINSTANCE.qrveyapp.com with the actual domain where your Qrvey platform is hosted.
This can be:
-
The Qrvey-managed instance domain assigned to your organization.
OR
-
A custom domain (for example,
analytics.customerdomain.com) configured for your deployment.
Important: The
QRVEYINSTANCEvalue must always match the domain where Qrvey is installed and from which your widgets are being loaded. If your instance runs on a subdomain or a custom URL, use that exact domain.
Directive Details
| Directive | Description |
|---|---|
| default-src 'self' | Sets the default content source to your own domain. |
| img-src 'self' data: blob: | Allows loading of images from your domain, inline image data, or blob URLs. |
| script-src 'self' 'unsafe-inline' QRVEYINSTANCE.qrveyapp.com | Permits scripts from your domain and from your Qrvey instance. Required for widget initialization and execution. |
| worker-src blob: | Allows web workers from blob URLs, required for background operations. |
| style-src 'self' 'unsafe-inline' fonts.googleapis.com QRVEYINSTANCE.qrveyapp.com | Enables inline styles and stylesheets from Qrvey and Google Fonts. The 'unsafe-inline' directive is required for widget functionality and cannot be removed (see explanation). |
| font-src 'self' fonts.gstatic.com QRVEYINSTANCE.qrveyapp.com | Allows font loading from Qrvey and Google Fonts. |
| connect-src 'self' QRVEYINSTANCE.qrveyapp.com wss://QRVEYINSTANCE.qrveyapp.com maps.geo.us-east-1.amazonaws.com tiles.openfreemap.org | Permits API calls and WebSocket connections to Qrvey and other supported services. |
| media-src 'self' data: blob: | Allows embedded media content to load from secure sources. |
| frame-src 'self' blob: | Enables blob-based iframes used by some visualizations. |
Understanding 'unsafe-inline' for Styles
Qrvey requires the 'unsafe-inline' directive in the style-src policy for proper platform functionality. This is an intentional and necessary part of the platform architecture.
Why 'unsafe-inline' is Required for style-src
The Qrvey platform supports dynamic UI customization, interactive visual transformations, and component-level styling that relies on controlled, internally generated inline styles. While Qrvey recognizes that 'unsafe-inline' for styles is discouraged in strict CSP implementations, removing it is not feasible for the following reasons:
Technical Constraints
- External Library Dependencies: Qrvey uses third-party libraries that do not support CSP nonce or hash-based approaches for inline styles.
- Dynamic Component Rendering: The platform generates inline styles programmatically for features like sorting, filtering, and dynamic data visualization.
- Widget Theming: Custom styling and theming functionality requires runtime style injection.
Security Safeguards
Despite using 'unsafe-inline', Qrvey maintains strong security practices:
- All inline styles are programmatically generated and not derived from user input.
- Qrvey enforces robust input sanitization and validation across the platform.
- Inline CSS is used only within trusted, internal components. It is not injected or influenced by external sources.
- Regular security reviews ensure all style usage is scoped, deterministic, and free of injection vectors.
Qrvey's Position
At this time, Qrvey does not plan to remove support for inline CSS in the style-src directive. Doing so would create the following issues:
- Compromise critical platform functionality.
- Significantly disrupt existing customer implementations.
Qrvey remains committed to continuously hardening its security posture and ensuring that its use of inline styles is well-controlled and low-risk.
Important Notes
- CSP configuration is only required if your system enforces a Content Security Policy. If you do not use CSP, Qrvey will work as expected without changes.
- The
'unsafe-inline'keyword under bothstyle-srcandscript-srcis required for widget functionality.
Common Scenarios
| Situation | Example Adjustment |
|---|---|
| Using Qrvey-managed instance | Replace QRVEYINSTANCE.qrveyapp.com with the exact domain provided by Qrvey for your environment. |
| Using custom domain | Replace QRVEYINSTANCE.qrveyapp.com with your custom domain (for example, analytics.customerdomain.com). |
| Strict CSP enforcement | Ensure all required Qrvey domains, WebSocket URLs, and optional endpoints are added under their respective directives. |
Summary
This CSP configuration ensures that Qrvey’s embedded components and widgets operate correctly in environments with strict content security restrictions. If your organization does not use CSP, no additional configuration is required.