Content Security Policy

The Content Security Policy (CSP) is a security standard introduced to prevent various attacks, including Cross-Site Scripting (XSS) and data injection attacks. It allows web developers to specify the domains the browser should consider valid sources of executable scripts for a given webpage.

By doing this, CSP can effectively reduce the risk of XSS attacks by specifying which sources are trusted, preventing browsers from executing scripts not approved as part of the policy.

If you choose to utilize CSP with Descope Flows, below is an example of a valid CSP configuration, including the necessary references to static.descope.com.

<meta
	http-equiv="Content-Security-Policy"
	content="connect-src 'self' static.descope.com api.descope.com;
	style-src 'unsafe-inline' fonts.googleapis.com;
	img-src static.descope.com content.app.descope.com;
	font-src fonts.gstatic.com static.descope.com;
	script-src 'self' static.descope.com;"
/>

Your CSP will need to include these references in order to effectively use flows without browser errors.