Content Security Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

If the Vouched JS Plugin is being embedded into your website and CSP is being used, the following needs to be enabled:

CSP Policies required for V3 (iFrame and related versions) of the JS Plugin - https://static.vouched.id/plugin/releases/latest/index.js

default-src ['self', `blob:`, `data:`];
script-src ['self', `*.amplitude.com`, `*.lab.amplitude.com`, `*.jsdelivr.net`, `*.vouched.id`, `*.googleapis.com`, `*.fontawesome.com`, `*.gstatic.com`, `*.browser-intake-datadoghq.com`];
connect-src ['self', `*.amplitude.com`, `*.lab.amplitude.com`, `*.jsdelivr.net`, `*.vouched.id`, `*.googleapis.com`, `*.fontawesome.com`, `*.gstatic.com`, `*.browser-intake-datadoghq.com`];
frame-src ['self', `*.vouched.id`];

CSP Policies required for V2 (and related versions) of the JS Plugin -
https://static.vouched.id/plugin/releases/latest/index.js

default-src: [ `self`, `unsafe-eval`, `unsafe-inline`, `blob:`, `data:`,
                `*.sentry.io`, `*.amplitude.com`, `*.jsdelivr.net`, `*.vouched.id`,
                `*.googleapis.com`, `*.fontawesome.com`, `*.gstatic.com`, `*.browser-intake-datadoghq.com`
              ]