Content Security Policy (CSP)
Websites that implement a Content Security Policy (CSP) on their website should follow some rules in order to ensure that the consentmanager Consent Layer continues to work.
CSP Rules
The consentmanager Consent Layer will load content via various datatypes and mechanisms, depending on the settings and use of the code. It will also call scripts in various ways:
- The system will add
<script src="...">elements to the page - The system will add
<script>...</script>elements to the page - The system will add
<style>...</style>elements to the page - The system will add
<link ...>elements to the page - The system will add
<img ...>elements to the page - The system will add
<iframe ...>elements to the page - The system will load content using CORS (
window.XMLHttpRequest) - The system will use
<... onclick="..."> - The system will use
@font-faceto load fonts
The system will never use:
- The system will not use
eval() - The system will not use
var x = new Function(....) - The system will not use string arguments for
setTimeoutorsetInterval(e.g.setTimeout("dosomething()")), it will always use function arguments - The system will not use
<a href="javascript:...">...</a>, it will always useonclick
In order to allow for the above, the easiest way using a CSP is to enable the entire consentmanager domain for all elements:
Content-Security-Policy: default-src 'self' https://*.consentmanager.net;Note: If you are using a custom domain, you will need to whitelist this domain in your CSP.
If you want to use a more restrictive CSP, you can use:
Content-Security-Policy: default-src 'self';
connect-src 'self' https://*.consentmanager.net;
frame-src 'self' https://*.consentmanager.net;
img-src 'self' https://*.consentmanager.net;
script-src 'self' https://*.consentmanager.net;
style-src 'self' https://*.consentmanager.net;
font-src 'self' https://*.consentmanager.net;Nonces & Script Integrity
Since the system will add other scripts, the system does not support for nonce and integrity attributes.
