The Docebo platform instance opens as a pop-up activated either when the user clicks on a button or interacts with an element - such as a link, or a string - on the external web page. When the pop-up opens, the platform instance shows the training content you, as the Superadmin, have selected for the user on the basis of the action he or she is performing, in order to provide the best learning on the fly experience, enriching it with ad hoc training.
Depending on the Docebo Flow configuration, users can be automatically provisioned so that their learning on the flow of work is not an event interrupted by the need to log in.
Docebo Flow is available as a web-based application on desktop and mobile platforms.
This article describes how to configure your site's content security policy header to accommodate Docebo Flow.
What is a content security policy
The HTTP Content-Security-Policy response header allows you to control the resources that the user agent is allowed to load for a page. Policies generally involve specifying server origins and script endpoints. Using content security policies helps guard against cross-site scripting attacks.
If you have a policy specifically defining rules for the directives
child-src they should add the following sources to their security policies in order to allow both Docebo Flow Launcher and Docebo Flow Building Blocks to be viewed correctly.
Given the integrator site as
integrator.example.com the full policy could look like this:
Content-Security-Policy: script-src integrator.example.com https://*.dcbstatic.com https://*.docebosaas.com 'self';
style-src integrator.example.com https://*.dcbstatic.com 'unsafe-inline' 'self';
img-src integrator.example.com https://*.dcbstatic.com https://*.docebosaas.com 'self';
connect-src https://*.docebosaas.com 'self';
For stricter control, you can replace the general
*.docebosaas.com wildcard domain with the original domain of the Docebo Learn platform you want to use with Docebo Flow.
Unsafe inline in script-src and style-src
unsafe-inline option in the
The technology on which Docebo Flow is built requires
unsafe-inline to be added in the
If you use only some of the directives mentioned above or generally use a
default-src directive to handle all the security restrictions of your web application, the domains allow-list should be the following:
Content-Security-Policy: style-src https://*.dcbstatic.com 'unsafe-inline' 'self'; default-src https://*.dcbstatic.com https://*.docebosaas.com 'self'