Content Security Policy for giosg services

CSP-settings you need to apply for the giosg services to work on your page

If your website is using Content-Security-Policy header to ensure security for your clients, you’ll need to modify it for giosg services to work.

refused to load the {*content(script/image..)} because it violates the following content security policy directive.....

The following domains are required to be included in CSP header:

  • *.giosg.com
  • *.giosgusercontent.com

Required CSP domains for Giosg services

The following CSP part makes giosg services functional on your website:

default-src https://*.giosg.com https://*.giosgusercontent.com;
script-src 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com;
img-src data:;
frame-src https://*.giosg.com https://*.giosgusercontent.com;
connect-src https://*.giosg.com https://*.giosgusercontent.com;
style-src 'unsafe-inline' https://*.giosg.com https://*.giosgusercontent.com;

Note that if you don’t have a CSP part, as connect-src already present on your website, it will use default-src as a fallback. So, merge default-src without exceptions AND merge those parts which are already present on your website.

Example of a CSP Header

To make your own CSP, you’ll need to merge Giosg-recommended CSP with your own, so that you have this record (e.g. in python code):

self.send_header('Content-Security-Policy', "default-src 'self'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com https://scripts.example.com; \
img-src 'self' data: https://images.example.com; \
frame-src 'self' https://*.giosg.com https://*.giosgusercontent.com https://securepayment.example.com; \
connect-src 'self' https://*.giosg.com https://*.giosgusercontent.com https://externalresource.example.com; \
style-src 'self' 'unsafe-inline' https://*.giosg.com https://*.giosgusercontent.com https://css.example.com;")

(Note!) Do not just copy the above example. It has some example domains inside and is intended only for presentation.

If you need to permit only giosg and your site resources, nothing except for that, we have a ready CSP for you.

default-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com https://*.interactions.giosgusercontent.com https://*.clients.giosgusercontent.com;

Note that if you define some more specific *-src, you’ll need to merge giosg values there also. E.g. script-src.

Giosg reserves a right to serve any type of content from any of its domains, including but not limited to scripts, images, styles and iframes, so default-src would be anyway a good place to add giosg domains.

For more information, visit our giosg for developers - site.