...
Code Block |
---|
default-src 'none'; connect-src https://your.host; font-src https://your.host; img-src https://your.host; frame-src https://your.host; style-src 'unsafe-inline' 'unsafe-evalhttps://your.host; script-src 'nonce-rAndom' https://your.host; script |
style-src
...
Having of 'unsafe-inline'
...
for styles is required as a temporary while we fix our and third party code to avoid this. The improved solution is scheduled to be delivered in late March 2024.
script-src
The most secure way to integrate GRAVITY in CSP protected product will be:
for each document request generate a random base64-encoded string of at least 128 bits from a cryptographically secure random number generator (for example ZDNn103nceIOfn33fn6e1h3dhrs
) and use that value as the CSP header script-src 'nonce-ZDNn103nceIOfn33fn6e1h3dhrs' https://your.host;
and as a part of GRAVITY integration script:
Code Block | ||
---|---|---|
| ||
<script> var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.setAttribute('nonce', 'ZDNn103nceIOfn33fn6e1h3dhrs') ... |
If, for some technical reason, it is not possible to generate the random nonce for every request, a static value can be used instead, but this reduces the level of protection.