Osano and Content Security Policies (CSPs)

  • Updated

What is a Content Security Policy

Content Security Policies are an added security layer that helps detect and mitigate certain types of attacks (ex. Cross-Site Scripting, data injection, etc.).

To enable CSP, you would need to configure your webserver to return the Content-Security-Policy HTTP header. 

Alternatively, the <meta> element can be used to configure a policy, for example: 

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; child-src 'none';">


Implementing Osano with a CSP

If you are utilizing a CSP, certain allowances may need to be made to your CSP for Osano Consent Manager script to have optimum performance. 
(Please note if you are not using a CSP, you do not need to make the below changes)

Osano uses web workers for script and cookie blocking. Web workers should be allowed in order to execute with the best performance.

Necessary Attribute: blob: Allows blob: URIs to be used as a content source.

For example (this may differ from CSP to CSP):

<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' http: https: 'self'; script-src blob: http: https: 'self';">

You may also need to make allowances for style-src, script-src, frame-src, connect-src, and worker-src to include the osano.com domain. 

You can set "*.osano.com” as an allowed domain, or set the following as allowed sub-domains:

  • consent.api.osano.com
  • tattle.api.osano.com
  • cmp.osano.com
  • disclosure.api.osano.com