...
Code Block |
---|
connect-src https://your.gravity.host; font-src https://your.gravity.host; img-src https://your.gravity.host; frame-src https://your.gravity.host; style-src 'nonce-gravity-styles' https://your.gravity.host; script-src 'nonce-rAnd0m' https://your.gravity.host; |
*script-src
The most secure way to integrate GRAVITY in CSP protected product will be:
for each document request generate a random base64-encoded string of at least 128 bits from a cryptographically secure random number generator (for example ZDNn103nceIOfn33fn6e1h3dhrs
) and use that value as the CSP header (script-src 'nonce-ZDNn103nceIOfn33fn6e1h3dhrs' https://your.gravity.host;
) and as a part of GRAVITY integration script:
...
Code Block |
---|
img-src https://your.gravity.host https://i.vimeocdn.com; frame-src https://your.gravity.host https://player.vimeo.com; |
CSP trusted-types
To ensure that the security of your targeted application isn't compromised, GRAVITY also supports an experimental technology called trusted-types.
When GRAVITY is injected into an application that uses this technology, the appropriate security mode is automatically activated, so no additional configuration is required other than allowing the required types:
gravity-internal dompurify gravity-jquery default
*default policy is temporary required because of the third-party frameworks used that do not fully support this experimental feature