Content Security Policy

The full list of CSP to whitelist for Cord


If your app has strict Content Security Policy, you will have to whitelist some domains and types for Cord. This page contains the full list, and an explanation for each item.

javascript:
connect-src https://api.cord.com wss://api.cord.com https://app.cord.com https://o951476.ingest.sentry.io https://s3.eu-west-2.amazonaws.com https://cdn.cord.com; style-src unsafe-inline https://app.cord.com; script-src https://app.cord.com; img-src blob: data: https://s3.eu-west-2.amazonaws.com https://cdn.cord.com worker-src blob:;
connect-src https://api.cord.com wss://api.cord.com https://app.cord.com https://o951476.ingest.sentry.io https://s3.eu-west-2.amazonaws.com https://cdn.cord.com; style-src unsafe-inline https://app.cord.com; script-src https://app.cord.com; img-src blob: data: https://s3.eu-west-2.amazonaws.com https://cdn.cord.com worker-src blob:;
Copy

connect-src #

rule 
Why is this needed? 
https://api.cord.com
Cord API server from which data such as messages are fetched
wss://api.cord.com
Realtime update are pushed over a websocket
https://app.cord.com
Hosts Cord static assets, some of which are dynamically loaded
https://o951476.ingest.sentry.io
Cord's endpoint for uploading errors
https://s3.eu-west-2.amazonaws.com
Used for downloading/uploading static assets such as attachments and user profile pictures
https://cdn.cord.com
Cord screenshot feature requires to whitelist all domains on which you host static content (images, fonts, etc), including Cord's CDN

style-src #

rule 
Why is this needed? 
unsafe-inline
Allow Cord to inject CSS styles from Javascript
https://app.cord.com
Allow Cord stylesheet

script-src #

rule 
Why is this needed? 
https://app.cord.com
Allow executing Cord SDK

img-src #

rule 
Why is this needed? 
blob: data:
Allow Cord screenshot feature to inline images as blobs/dataURLs
https://s3.eu-west-2.amazonaws.com
Used for downloading/uploading static assets such as attachments and user profile pictures
https://cdn.cord.com
Allow Cord's CDN

worker-src #

rule 
Why is this needed? 
blob:
Allows the Web Worker used in Cord screenshot feature

Ask Cordy