Security is extremely important to Chameleon and we take it seriously. To learn more about our practices, please review this page.
What is a CSP?
A Content Security Policy is a defense mechanism that prevents unauthorized code from running on a web page. Web app administrators can control what resources a user is allowed to load on a specific page. This helps guard against cross-site scripting attacks (XSS).
The CSP defines the
Content-Security-Policy HTTP header, in which the web app administrator can set an allowed list of trusted sources. The browser can then only run content from these sources.
Why am I getting an error?
You may see a CSP error when trying to "Enter Builder" from the Chrome Extension, such as the below.
Alternatively, if you open Dev Tools or the browser console, you may see an error such as:
(index):66 Refused to load the script 'https://fast.trychameleon.com/messo/abcdefghijklmnopqrstuvwxyz/messo.min.js' because it violates the following Content Security Policy directive: \"script-src 'self' 'unsafe-inline' \"."
This indicates that the underlying page has a CSP that has not yet included Chameleon as a trusted source. This can happen when your developers are not aware of your attempts to try/evaluate Chameleon.
This is not unsafe in itself but you will not be able to view or use the Chameleon Builder until your developers include Chameleon as a trusted source.
Adding Chameleon to your CSP
If you're not technical, you'll need to talk to the engineer or developer on your team responsible for security or managing third-party scripts on your site.
To enable Chameleon, add the following string below to any Content-Security-Policy directive allowed lists in your website's request headers.
default-src: https://*.trychameleon.com https://*.chmln-cdn.com
script-src allowed lists will need to include
More specific inclusions
If you don't want to add Chameleon to your
default-src CSP, then you can add it to:
frame-src. And just like
script-src will also need
Here's an example of this:
script-src: 'unsafe-inline' ... https://*.trychameleon.com
connect-src: ... https://*.trychameleon.com wss://*.trychameleon.com
img-src: https://*.chmln-cdn.com blob:
frame-src: https://*.trychameleon.com https://*.chmln-cdn.com
If you wish to exclude
unsafe-inline you have a couple of options:
- Add the Chameleon snippet to your JS bundle or main chunk so that it's not included "inline" in the HTML page.
- Load the Chameleon snippet via
scripttag like this:
<script src="https://fast.trychameleon.com/snippet/ACCOUNT_TOKEN/snippet.js" async defer crossorigin="anonymous"></script>
unsafe-eval to enable Custom Scripts
Chameleon's allows you to run custom code scripts from Step Button or Launcher Item, to perform other custom actions, such as opening a chat messenger or sending data to a particular system. This can provide you flexibility in cases where Chameleon does not already offer a direct integration.
This feature requires the addition of
unsafe eval in the
script-src CSP setting:
script-src: 'unsafe-eval' ... https://*.trychameleon.com