Content Security Policies For Browsealoud V 3.0.0 And Above

Content Security Policies are becoming increasingly common on websites. They are intended to prevent code being injected into your website, control cross-site scripting and prevent clickjacking and other code injection attacks.

Because Browsealoud is a third party script you install on your website, it is possible for a CSP to stop Browsealoud working correctly. You may need to adjust your CSP to allow Browsealoud to work.

Browsealoud supports strict CSPs that disallow the use of evals and inline scripts. However, Browsealoud still needs to use certain media types and files from third party locations to function on your website.

Find out more about Content Security Policies.  

This configuration has been updated for the Browsealoud 3.0.0 release on 18th May 2020.

Browsealoud version 3 includes the legacy toolbar for users interacting with your site when using IE 11 and MS Edge v18. If you wish for this to work with your CSP you should follow this support article for Browsealoud V 2.6.1.

Recommended Browsealoud V3.0.0 CSP

  default-src
    'self';
  style-src
    'self'
    'unsafe-inline'
    https://www.browsealoud.com
    https://plus.browsealoud.com;
  Script-src
    https://plus.browsealoud.com
    https://www.browsealoud.com
    https://*.speechstream.net
    https://www.googletagmanager.com/
    https://www.google-analytics.com/
    https://apis.google.com
    https://wikisum.texthelp.com/
   'sha256-XwQT/PsFMy+rKSB4vlW93i5lrzIRaGmPC3M2D0C3ZKU=';
  img-src
    https://speechstreamv3-webservices-8.texthelp.com/
    https://www.browsealoud.com
    'self'
    https://plus.browsealoud.com
    https://upload.wikimedia.org
    https://www.google-analytics.com/
    https://stats.g.doubleclick.net
    data:;
  child-src
    'self'
    https://content.googleapis.com
    https://www.googletagmanager.com/ns.html;
  Connect-src
    blob:
    https://plus.browsealoud.com/ 
    https://www.browsealoud.com
    https://en.wikipedia.org/
    https://wikisum.texthelp.com/
    https://speechstreamv3-webservices-8.texthelp.com/
    https://babm.texthelp.com
    https://*.speechstream.net
    https://stats.g.doubleclick.net
    https://www.google-analytics.com/;
  media-src
    'self'
    blob:
    https://*.speechstream.net;


CSP Explained

Individual parts of the CSP are explained below:

Default-src  - This serves as a fallback for the other CSP fetch directives:

  • 'Self' - Allow all content hosted on the website’s own domain to be loaded

Style-src - Defines valid sources of stylesheets:

  • 'Self' - Allow all content hosted on the website’s own domain to be loaded`

  • 'Unsafe-inline' - The 'unsafe-eval' source expression controls several script execution methods that create code from strings required for the execution of BrowseAloud

  • https://www.browsealoud.com - Loads styles for the Browsealouds user interface

  • https://plus.browsealoud.com - Loads styles for the Browsealouds user interface

Script-src - Defines valid sources of JavaScript:

  • https://plus.browsealoud.com - Used to allow the main Browsealoud JavaScript to run

  • https://www.browsealoud.com - Used to allow the main Browsealoud JavaScript to run

  • https://*.speechstream.net - Texthelp domain hosting the speech services including mp3 creation

  • https://www.googletagmanager.com - Required to permit Google Tag Manager to run (used to load the Google Analytics Script)

  • https://www.google-analytics.com - Required to permit Google Analytics to run (for anonymous usage logging)

  • https://apis.google.com - This is required to permit Google Translate to work on your website

  • https://wikisum.texthelp.com - This is required to permit the wiki definitions feature in the summariser to run 

  • 'sha256-XwQT/PsFMy+rKSB4vlW93i5lrzIRaGmPC3M2D0C3ZKU=' - Used to securely inject the Google Tag Manager script on your site, it is a hash of the file being injected to prevent any unknown changes being added

Img-src - This section defines where image files can be loaded from:

  • https://speechstreamv3-webservices-8.texthelp.com - Texthelp domain hosting the picture dictionary service

  • self - Allow all content hosted on the website’s own domain to be loaded

  • https://plus.browsealoud.com - Images loaded as part of the Browsealoud user interface

  • https://www.browsealoud.com - Images loaded as part of the Browsealoud user interface

  • https://upload.wikimedia.org - This is required to permit the wiki definitions feature to retrieve and display images

  • https://www.google-analytics.com - Required for analytics reporting.

  • https://stats.g.doubleclick.net - Required for analytics reporting.

  • data - Required to allow resources such as Base64 encoded images.

Child-src - Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>:

  • 'self' - Allow all content hosted on the website’s own domain to be loaded

  • https://content.googleapis.com - Required for the Translate feature, which uses Google Translate

  • https://www.googletagmanager.com/ns.html - Used to manage our Google Analytics and prevent it clashing with any analytics of your own

Connect-src - Applies to XMLHttpRequest (AJAX), WebSocket or EventSource

  • blob: - This is a format that media is returned from the speech servers

  • https://plus.browsealoud.com - Used to fetch information files to configure Browsealoud’s settings for your website

  • https://www.browsealoud.com - Used to allow the main Browsealoud JavaScript to run

  • https://en.wikipedia.org - This is required to permit the wiki definitions feature in the summariser to run

  • https://wikisum.texthelp.com - This is required to permit the wiki definitions feature in the summariser to run 

  • https://speechstreamv3-webservices-8.texthelp.com - Texthelp domain hosting the picture dictionary service

  • https://babm.texthelp.com - This is where custom pronunciation data is loaded from

  • https://*.speechstream.net - Texthelp domain hosting the speech services including mp3 creation        

  • https://stats.g.doubleclick.net - Used for Browsealoud usage analytics.

  • https://www.google-analytics.com - Used for Browsealoud usage analytics.

Media-src - This defines where media files are permitted to be loaded from

  • blob - This is a format that media is returned from the speech servers

  • 'self' - Allow all content hosted on the website’s own domain to be loaded

  • https://*.speechstream.net - Texthelp domain hosting the speech services including mp3 creation