or by using a bundling tool like csp-html-webpack-plugin with input like:
newCspHtmlWebpackPlugin({'connect-src':"'self' https://*.chime.aws wss://*.chime.aws https://*.amazonaws.com https://*.sdkassets.chime.aws",// 'wasm-unsafe-eval' is to allow Amazon Voice Focus to work in Chrome 95+.// Strictly speaking, this should be enough, but the worker cannot compile WebAssembly unless// 'unsafe-eval' is also present.'script-src':"'self' https://*.sdkassets.chime.aws 'wasm-eval' 'wasm-unsafe-eval' 'unsafe-eval'",// Script hashes/nonces are not emitted for script-src-elem, so just add unsafe-inline.'script-src-elem':"'self' https://*.sdkassets.chime.aws 'unsafe-inline'",'worker-src':"blob:",'child-src':"blob:",}),
csp-html-webpack-plugin will automatically generate hashes and nonces for your inline script and style tags.
Note that script-src-elem is not supported in Safari and Firefox. worker-src is not supported in Safari.
You will need to add your own entries to this policy to allow for making connections and downloading scripts and assets required by your own application.
The Amazon Chime SDK for JavaScript listens to the browser's security policy violation event and logs URIs that were blocked by the browser when joining meetings, creating audio and video devices, or establishing messaging sessions. The Amazon Chime SDK for JavaScript outputs "Security Policy Violation" error messages to the web console if you enable the console logger. The security policy violation event is an experimental technology and it is only supported in several major browsers. See browser compatibility for more information before using this in production.
If you want to disable the error for security policy violation events, you can do the following in your application:
Content Security Policy for applications using the Amazon Chime SDK
Modern web applications use Content Security Policy to protect users from certain classes of attacks. You can add a security policy by configuring your web server to return the Content-Security-Policy HTTP header or using a
<meta>element to configure a policy. You can add security headers using Lambda@Edge and Amazon CloudFront. For more information, see Adding HTTP Security Headers Using Lambda@Edge and Amazon CloudFront.Include the following in your policy to allow the Amazon Chime SDK access to the meeting, messaging, and Amazon Voice Focus resources.
You can do so via an HTTP header:
a
<meta>tag:or by using a bundling tool like
csp-html-webpack-pluginwith input like:csp-html-webpack-pluginwill automatically generate hashes and nonces for your inline script and style tags.Note that
script-src-elemis not supported in Safari and Firefox.worker-srcis not supported in Safari.You will need to add your own entries to this policy to allow for making connections and downloading scripts and assets required by your own application.
Meeting
If you use audio, video, or screen sharing in your application by creating a meeting session, ensure that your policy includes the following:
Messaging
If you use the Amazon Chime SDK messaging with Amazon Cognito, ensure that you add the following:
Logging
The Amazon Chime SDK for JavaScript listens to the browser's security policy violation event and logs URIs that were blocked by the browser when joining meetings, creating audio and video devices, or establishing messaging sessions. The Amazon Chime SDK for JavaScript outputs "Security Policy Violation" error messages to the web console if you enable the console logger. The security policy violation event is an experimental technology and it is only supported in several major browsers. See browser compatibility for more information before using this in production.
If you want to disable the error for security policy violation events, you can do the following in your application:
Amazon Voice Focus
To use Amazon Voice Focus, see the Amazon Voice Focus guide.
Give feedback on this guide