Skip to content

CSP for Giosg services

If your website is using Content-Security-Policy header to ensure security for your clients, you'll need to modify it for giosg services to work.

The following domains are required to be included in CSP header:

  • *.giosg.com
  • *.giosgusercontent.com

Required CSP domains for Giosg services

The following CSP part makes giosg services functional on your website:

1
2
3
4
5
6
default-src https://*.giosg.com https://*.giosgusercontent.com;
script-src 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com;
img-src data:;
frame-src https://*.giosg.com https://*.giosgusercontent.com;
connect-src https://*.giosg.com https://*.giosgusercontent.com;
style-src 'unsafe-inline' https://*.giosg.com https://*.giosgusercontent.com;

Note that if you don't have a CSP part, as connect-src already present on your website, it will use default-src as a fallback. So, merge default-src without exceptions AND merge those parts which are already present on your website.

Example of a CSP Header

To make your own CSP, you'll need to merge Giosg-recommended CSP with your own, so that you have this record (e.g. in python code):

1
2
3
4
5
6
self.send_header('Content-Security-Policy', "default-src 'self'; \
          script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com https://scripts.example.com; \
          img-src 'self' data: https://images.example.com; \
          frame-src 'self' https://*.giosg.com https://*.giosgusercontent.com https://securepayment.example.com; \
          connect-src 'self' https://*.giosg.com https://*.giosgusercontent.com https://externalresource.example.com; \
          style-src 'self' 'unsafe-inline' https://*.giosg.com https://*.giosgusercontent.com https://css.example.com;")

Note

Do not just copy the above example. It has some example domains inside and is intended only for presentation.

If you need to permit only giosg and your site resources, nothing except for that, we have a ready CSP for you.

1
default-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.giosg.com https://*.giosgusercontent.com https://*.interactions.giosgusercontent.com https://*.clients.giosgusercontent.com;

Note that if you define some more specific *-src, you'll need to merge giosg values there also. E.g. script-src.
Giosg reserves a right to serve any type of content from any of its domains, including but not limited to scripts, images, styles and iframes, so default-src would be anyway a good place to add giosg domains.