Versions Compared

Old Version 27

changes.mady.by.user Alexander Ziziko

Saved on

compared with

New Version 28

changes.mady.by.user Alexander Ziziko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
connect-src https://your.gravity.host;
font-src https://your.gravity.host;
img-src https://your.gravity.host;
frame-src https://your.gravity.host;
style-src 'nonce-gravity-styles' https://your.gravity.host;
script-src 'nonce-rAnd0m' https://your.gravity.host;

*script-src

The most secure way to integrate GRAVITY in CSP protected product will be:
for each document request generate a random base64-encoded string of at least 128 bits from a cryptographically secure random number generator (for example ZDNn103nceIOfn33fn6e1h3dhrs ) and use that value as the CSP header (script-src 'nonce-ZDNn103nceIOfn33fn6e1h3dhrs' https://your.gravity.host;) and as a part of GRAVITY integration script:

...

Code Block
img-src https://your.gravity.host https://i.vimeocdn.com;
frame-src https://your.gravity.host https://player.vimeo.com;

CSP trusted-types

To ensure that the security of your targeted application isn't compromised, GRAVITY also supports an experimental technology called trusted-types.
When GRAVITY is injected into an application that uses this technology, the appropriate security mode is automatically activated, so no additional configuration is required other than allowing the required types:

gravity-internal dompurify gravity-jquery default

*default policy is temporary required because of the third-party frameworks used that do not fully support this experimental feature