...
The following CSP headers must be configured to let GRAVITY work properly in CSP secured context of the target application.:
Code Block |
---|
connect-src https://your.gravity.host; font-src https://your.gravity.host; img-src https://your.gravity.host; frame-src https://your.gravity.host; style-src 'unsafenonce-gravity-inlinestyles' https://your.gravity.host; script-src 'nonce-rAnd0m' https://your.gravity.host; |
style-src
...
script-src
The most secure way to integrate GRAVITY in CSP protected product will be:
for each document request generate a random base64-encoded string of at least 128 bits from a cryptographically secure random number generator (for example ZDNn103nceIOfn33fn6e1h3dhrs
) and use that value as the CSP header (script-src 'nonce-ZDNn103nceIOfn33fn6e1h3dhrs' https://your.gravity.host;
) and as a part of GRAVITY integration script:
...
If, for some technical reason, it is not possible to generate the random nonce for every request, a static value (like nonce-gravity-script
) can be used instead, but this reduces the level of protection.
...