Content Security Policy

The full list of CSP to whitelist for Cord

If your app has strict Content Security Policy, you will have to whitelist some domains and types for Cord. This page contains the full list, and an explanation for each item.

connect-src https://api.cord.com wss://api.cord.com https://app.cord.com https://o951476.ingest.sentry.io https://s3.eu-west-2.amazonaws.com https://cdn.cord.com; style-src unsafe-inline https://app.cord.com; script-src https://app.cord.com; img-src blob: data: https://s3.eu-west-2.amazonaws.com https://cdn.cord.com worker-src blob:;

Copy

connect-src #

https://api.cord.com: Cord API server from which data such as messages are fetched
wss://api.cord.com: Realtime update are pushed over a websocket
https://app.cord.com: Hosts Cord static assets, some of which are dynamically loaded
https://o951476.ingest.sentry.io: Cord's endpoint for uploading errors
https://s3.eu-west-2.amazonaws.com: Used for downloading/uploading static assets such as attachments and user profile pictures
https://cdn.cord.com: Cord screenshot feature requires to whitelist all domains on which you host static content (images, fonts, etc), including Cord's CDN

style-src #

unsafe-inline: Allow Cord to inject CSS styles from Javascript
https://app.cord.com: Allow Cord stylesheet

script-src #

https://app.cord.com: Allow executing Cord SDK

img-src #

blob: data:: Allow Cord screenshot feature to inline images as blobs/dataURLs
https://s3.eu-west-2.amazonaws.com: Used for downloading/uploading static assets such as attachments and user profile pictures
https://cdn.cord.com: Allow Cord's CDN

worker-src #

blob:: Allows the Web Worker used in Cord screenshot feature

Ask Cordy