Versions Compared

Old Version 18

changes.mady.by.user Alexander Ziziko

Saved on

compared with

New Version Current

changes.mady.by.user Alexander Ziziko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In case if user need to be automatically authenticated within specified email address the following snippet can be used

Code Block
languagejs
var head = document.getElementsByTagName('head')[0];
var script = document.createElement('script');
var baseUrl = 'https://your.host/gravity/';
var options = { email: 'user@mail.com' };
script.type = 'text/javascript';
script.onload = function() {
    pi.gravity.inject.setup(baseUrl, baseUrl + 'inject/', 'Static inject', options);
}
script.src = baseUrl + 'inject/js/pi.gravity.inject.js';
head.appendChild(script);

...

More complex solution for cases when GRAVITY might not be activated for all sites on which the script is injected

Code Block
languagejs
/* Gravity injection code */
var baseUrl = "https://your.host/gravity/";
var options = { email: 'user@mail.com' };

(function init() {    
    window.onload = function () {
        injectGravity();
    };
})();

function injectGravity() {
    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function () {
        // if gravity is enabled for current page, then load inject scripts
        if (xhr.readyState === 4 && xhr.status === 200 && xhr.responseText === "true") {
            loadInjectScripts();
        }
    };
    xhr.open("GET", baseUrl + "services/info/gravity/enabled?url=" + encodeURI(location.href), true);
    xhr.send();
}

function loadInjectScripts() {
    var script = document.createElement('script');
    script.onload = function () {
        var startScript = document.createElement('script');
        var srcBody = document.createTextNode("pi.gravity.inject.setup('" + baseUrl + "', '" + baseUrl + 'inject/' + "', 'Static inject', " + JSON.stringify(options) + ")");
        startScript.appendChild(srcBody);
        document.head.appendChild(startScript);
    };
    script.src = baseUrl + "inject/js/pi.gravity.inject.js";
    document.head.appendChild(script);
}

CSP rules

Required headers

The following rules CSP headers must be configured to let GRAVITY work properly in CSP secured context of the target application.:

Code Block
styleconnect-src 'unsafe-inline' 'unsafe-eval'https://your.gravity.host;
font-src https://your.gravity.host;
img-src https://your.gravity.host;
scriptframe-src 'unsafe-inline' 'unsafe-eval https://your.gravity.host;
style-src 'nonce-gravity-styles' https://your.gravity.host;
imgscript-src 'unsafenonce-evalrAnd0m' https://your.host;
font-src 'unsafe-eval'gravity.host;

*script-src

The most secure way to integrate GRAVITY in CSP protected product will be:
for each document request generate a random base64-encoded string of at least 128 bits from a cryptographically secure random number generator (for example ZDNn103nceIOfn33fn6e1h3dhrs ) and use that value as the CSP header (script-src 'nonce-ZDNn103nceIOfn33fn6e1h3dhrs' https://your.gravity.host;) and as a part of GRAVITY integration script:

Code Block
languagejs
<script>
var head = document.getElementsByTagName('head')[0];
var script = document.createElement('script');
script.setAttribute('nonce', 'ZDNn103nceIOfn33fn6e1h3dhrs')
...

If, for some technical reason, it is not possible to generate the random nonce for every request, a static value (like nonce-gravity-script) can be used instead, but this reduces the level of protection.

Optional headers

Depending on the additional content types and functionality used for Callouts, the following CSP headers must be added additionally to the base configuration described above.

Attached PDF documents or additional images

Loading of images or documents as data: must be allowed via connect-src

connect-src data: https://your.gravity.host;

Content type: Image

Required image hosts must be allowed via img-src

img-src https://your.gravity.host https://your.images.host;

Content type: Video

Required video hosts must be allowed via media-src

media-src https://your.video.host;

img-src must be modified also if video posters are needed.

img-src https://your.gravity.host https://your.video-posters.host;

Content type: IFrame

Required frame hosts must be allowed via frame-src

frame-src https://your.gravity.host https://your.frames.host;

Content type: YouTube video

YouTube hosts must be allowed

Code Block
img-src https://your.gravity.host https://i.ytimg.com;
defaultframe-src 'unsafe-eval' https://your.gravity.host https://www.youtube.com;

Content type: Vimeo video

Vimeo hosts must be allowed

Code Block
img-src https://your.gravity.host https://i.vimeocdn.com;
connectframe-src 'unsafe-eval' https://your.gravity.host https://player.vimeo.com;

CSP trusted-types

To ensure that the security of your targeted application isn't compromised, GRAVITY also supports an experimental technology called trusted-types.
When GRAVITY is injected into an application that uses this technology, the appropriate security mode is automatically activated, so no additional configuration is required other than allowing the required types:

Code Block
gravity-internal dompurify gravity-jquery default

*default policy is temporary required because of the third-party frameworks used that do not fully support this experimental feature