-
-
Save marinhero/0b7dc607a5644d4ec634baf0799218d3 to your computer and use it in GitHub Desktop.
<html> | |
<head> | |
<meta http-equiv="Content-Security-Policy" | |
content="connect-src https://*.wootric.com; | |
script-src 'nonce-EBVmWKEBEP' 'nonce-iApyYLoklC' 'strict-dynamic'; | |
object-src 'none'; | |
base-uri 'none'; | |
img-src 'self' data; | |
font-src 'self' data:;" /> | |
<meta charset="utf-8"> | |
<script type="text/javascript" src="https://cdn.wootric.com/wootric-sdk.js" nonce="iApyYLoklC"></script> | |
<script type="text/javascript" nonce="EBVmWKEBEP"> | |
window.wootricSettings = { account_token: 'NPS-YOURTOKEN', created_at: 1561852800 }; | |
window.wootric('run'); | |
</script> | |
</head> | |
<body> | |
</body> | |
</html> |
Hey @kaschka, there seems to be an issue there. I'm going to dig into it and will keep you posted. Thanks for reporting. Apologies for the trouble
@kascha, I updated the gist based on the example you sent me. I ran the new CSP header onto the Google CSP validator and got an ✅ from them. I hope this works for you as well! Let me know if you have more questions. Thanks for reporting this!
Longshot @marinhero any chance of getting this CSP narrowed down a bit? *.wootric.com seems pretty open. e.g. Ideally this CSP wouldn't include your testing/qa environments etc...
Many thanks!
wootric-sdk.js also injects inline styles, so you need to add for the style-src policy: 'unsafe-inline' (which is not recommended) or the corresponding hash... The problem with hashing is that we can't control when Wootric style will change.
Can't you improve the nonce CSP approach for style-src as well?
Coming from http://help.wootric.com/en/articles/1634200-wootric-s-content-security-policy-csp-guidelines
Is this still up to date? Can't get
<script async type="text/javascript" src="https://cdn.wootric.com/wootric-sdk.js"></script>
to running without 'unsafe-inline' on Firefox and Edge.Example: