Content Security Policies For Browsealoud

Content Security Policies are becoming increasingly common on websites. They are intended to prevent code being injected into your website, control cross-site scripting and prevent clickjacking and other code injection attacks.

Because Browsealoud is a third party script you install on your website, it is possible for a CSP to stop Browsealoud working correctly. You may need to adjust your CSP to allow Browsealoud to work.

Browsealoud 2.5.4 onwards supports strict CSPs that disallow the use of evals and inline scripts. However, Browsealoud still needs to use certain media types and files from third party locations to function on your website.

Find out more about Content Security Policies.  

Recommended CSP

This is the default CSP that we recommend you use to integrate Browsealoud. Specific parts of this will be explained below.

A CSP can be applied on a page in a meta tag or in a http response header set on the web server. It is up to the website owner to decide the best way to implement their CSP. 

This CSP assumes that Browsealoud is loaded with secure protocol (https) and on a secure site and the website is using the Best Practice Browsealoud Configuration.

(Lines below indicated in red were changed in Version 2.6.1)

default-src

  'self';

style-src

  'self'

  'unsafe-inline'

  https://plus.browsealoud.com

  https://fonts.googleapis.com;

font-src

  'self'

  https://fonts.gstatic.com

  data:;

Script-src

  https://plus.browsealoud.com

  https://www.browsealoud.com

  https://*.speechstream.net

  https://www.browsealoud.com

  https://fonts.googleapis.com

  https://www.google-analytics.com/

  https://www.googletagmanager.com/

  https://apis.google.com;

  'sha256-IiAttzCguiZuFliqNNdfibnq9Fo/+3+w8RfqGi/u0iQ='

img-src

  https://browsealoud-webservices-8.texthelp.com/

  'self'

  https://plus.browsealoud.com

  https://www.google-analytics.com/

  https://stats.g.doubleclick.net

  data:;

child-src

  'self'

  https://content.googleapis.com

  https://www.googletagmanager.com/ns.html;

Connect-src

  https://browsealoud-webservices-8.texthelp.com/

  https://plus.browsealoud.com

  https://babm.texthelp.com

  https://*.speechstream.net

  https://stats.g.doubleclick.net

  https://www.google-analytics.com/;

media-src

  'self'

  blob:

  https://*.speechstream.net;

CSP Explained

Individual parts of the CSP are explained below:

Default-src  - This serves as a fallback for the other CSP fetch directives:

  • 'Self' - Allow all content hosted on the website’s own domain to be loaded

Style-src - Defines valid sources of stylesheets:

  • 'Self' - Allow all content hosted on the website’s own domain to be loaded

  • 'Unsafe-inline' - The 'unsafe-eval' source expression controls several script execution methods that create code from strings required for the execution of BrowseAloud

  • https://plus.browsealoud.com - Loads styles for the Browsealouds user interface

  • https://fonts.googleapis.com - Used to support fonts required for the Browsealoud user interface

Font-src - Defines valid sources of fonts:

  • 'Self' - Allow all content hosted on the website’s own domain to be loaded

  • https://fonts.gstatic.com - Loads fonts required for the Browsealoud user interface

  • Data - Required to allow the page to load resources such as Base64 encoded images

Script-src - Defines valid sources of JavaScript:

  • https://plus.browsealoud.com - Used to allow the main Browsealoud JavaScript to run

  • https://www.browsealoud.com - Used to allow the main Browsealoud JavaScript to run

  • https://*.speechstream.net - Texthelp domain hosting the speech services including mp3 creation

  • https://fonts.googleapis.com - For use of Google Fonts in the Browsealoud user interface

  • https://www.googletagmanager.com - Required to permit Google Tag Manager to run (used to load the Google Analytics Script)

  • https://www.google-analytics.com - Required to permit Google Analytics to run (for anonymous usage logging)

  • https://apis.google.com - This is required to permit Google Translate to work on your website

  • 'sha256- IiAttzCguiZuFliqNNdfibnq9Fo/+3+w8RfqGi/u0iQ=' - Used to securely inject the Google Tag Manager script on your site, it is a hash of the file being injected to prevent any unknown changes being added

Img-src - This section defines where image files can be loaded from:

  • https://browsealoud-webservices-8.texthelp.com - Texthelp domain hosting the picture dictionary service

  • self - Allow all content hosted on the website’s own domain to be loaded

  • https://plus.browsealoud.com - Images loaded as part of the Browsealoud user interface

  • https://www.google-analytics.com - Required for analytics reporting.

  • https://stats.g.doubleclick.net - Required for analytics reporting.

  • data - Required to allow resources such as Base64 encoded images.

Child-src - Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>:

  • 'self' - Allow all content hosted on the website’s own domain to be loaded

  • https://content.googleapis.com - Required for the Translate feature, which uses Google Translate

  • https://www.googletagmanager.com/ns.html - Used to manage our Google Analytics and prevent it clashing with any analytics of your own

Connect-src - Applies to XMLHttpRequest (AJAX), WebSocket or EventSource

  • https://browsealoud-webservices-8.texthelp.com - Texthelp domain hosting the picture dictionary service

  • https://plus.browsealoud.com - Used to fetch information files to configure Browsealoud’s settings for your website

  • https://babm.texthelp.com - This is where custom pronunciation data is loaded from

  • https://*.speechstream.net - Texthelp domain hosting the speech services including mp3 creation        

  • https://stats.g.doubleclick.net - Used for Browsealoud usage analytics.

  • https://www.google-analytics.com - Used for Browsealoud usage analytics.

Media-src - This defines where media files are permitted to be loaded from

  • blob - This is a format that media is returned from the speech servers

  • 'self' - Allow all content hosted on the website’s own domain to be loaded

  • https://*.speechstream.net - Texthelp domain hosting the speech services including mp3 creation