The following guide is only valid for iPresso integration with domains that currently use CSP.
Content Security Policy
Depending on your current CSP settings and the scope of your iPresso usage, each iPresso integration and the CSP changes that follow may vary. Directives may include your specified resources in iPresso that may be allowed in your application root domain. These can only be static elements such as fonts or images. However, the range of required allowed resources is usually broader and includes functionality that requires permission to run inline scripts to monitor pages or perform actions on pages.
In the absence of specifying the requirements for CSP directives and the scope of iPresso functionality, it is recommended that the following setting be used, which gives the full range of possibilities for using iPresso.
For using the full functionality of iPresso on pages without CSP, the Content-Security-Policy header must include in its directives your "front" domain, that is, for example, media-{IPRESSO-DOMAIN}.ipresso.pl and the perun.ipresso.pl domain, which is necessary for the correct operation of, among other things, actions on pages.
The correct default configuration, which should be added to the domain with which you integrate iPresso:
Content-Security-Policy: default-src 'unsafe-inline' media-{IPRESSO-DOMAIN}.ipresso.pl
perun.ipresso.pl
The above CSP header configuration must be added for each domain within which iPresso will be integrated.
If you decide that you need to refine the above policy by adding more directives, e.g. due to a different integration, then the front domain and the perun.ipresso.pl domain must be added to each new directive specified in the CSP policy.
In the case of an existing CSP policy, the front domain, i.e. mostly: media-{IPRESSO-DOMAIN}.ipresso.pl and the domain perun.ipresso.pl should be added to all current Content-Security-Policy directives.
If in the future you will refine the CSP rules through further directives the principle is the same - you should add the above domains to these directives.
Comments
0 comments
Article is closed for comments.