Security is extremely important to Chameleon and we take it seriously. To learn more about our practices, please review this page.

What is a CSP?

A Content Security Policy is a defense mechanism that prevents unauthorized code from running on a web page. Web app administrators can control what resources a user is allowed to load on a specific page. This helps guard against cross-site scripting attacks (XSS).

The CSP defines the Content-Security-Policy HTTP header, in which the web app administrator can set an allowed list of trusted sources. The browser can then only run content from these sources.

Why am I getting an error?

You may see a CSP error when trying to "Enter Builder" from the Chrome Extension, such as the below.

Screenshot of a CSP error within the Chrome Extension

Alternatively, if you open Dev Tools or the browser console, you may see an error such as:

(index):66 Refused to load the script '' because it violates the following Content Security Policy directive: \"script-src 'self' 'unsafe-inline' \"."

This indicates that the underlying page has a CSP that has not yet included Chameleon as a trusted source. This can happen when your developers are not aware of your attempts to try/evaluate Chameleon.

This is not unsafe in itself but you will not be able to view or use the Chameleon Builder until your developers include Chameleon as a trusted source.

Adding Chameleon to your CSP

If you're not technical, you'll need to talk to the engineer or developer on your team responsible for security or managing third-party scripts on your site.

To enable Chameleon, add the following string below to any Content-Security-Policy directive allowed lists in your website's request headers.

default-src: https://* https://*

Your script-src allowed lists will need to include 'unsafe-inline'. This is necessary to include the Chameleon JavaScript snippet directly into the html page.

More specific inclusions

If you don't want to add Chameleon to your default-src CSP, then you can add it to: script-src, connect-src, img-src, font-src, and frame-src. And just like default-src, script-src will also need 'unsafe-inline'.

Here's an example of this:

script-src: 'unsafe-inline' ... https://*
connect-src: ... https://* wss://*
img-src: https://* blob:
font-src: https://*
frame-src: https://* https://*

Excluding unsafe-inline

If you wish to exclude unsafe-inline you have a couple of options:

  1. Add the Chameleon snippet to your JS bundle or main chunk so that it's not included "inline" in the HTML page.

  2. Load the Chameleon snippet via script tag like this:

<script src="" async defer crossorigin="anonymous"></script>

Adding unsafe-eval to enable Custom Scripts

Chameleon's allows you to run custom code scripts from Step Button or Launcher Item, to perform other custom actions, such as opening a chat messenger or sending data to a particular system. This can provide you flexibility in cases where Chameleon does not already offer a direct integration.

This feature requires the addition of unsafe eval in the script-src CSP setting:

script-src: 'unsafe-eval' ... https://*

More information

For anyone who is technical but hasn't run into this issue before, take a read through this article from HTML5 Rocks about CSP's or this one for more information.

Did this answer your question?