What is a Content Security Policy (CSP)
Content Security Policies (CSPs) add an extra layer of security by helping detect and prevent certain types of attacks, such as Cross-Site Scripting (XSS) and data injection.
To enable CSP, you would need to configure your webserver to return the Content-Security-Policy HTTP header. Alternatively, the <meta> element can be used to set a CSP, for example:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; child-src 'none';">
Implementing Osano with a CSP
If you are using a CSP, certain allowances may be needed to ensure optimal performance for the Osano Consent Manager script. If you are not using a CSP, these changes are not required.
Required Allowances
Web Workers: Osano uses web workers for script and cookie blocking, so allowing web workers in your CSP is necessary for best performance.
Blob URIs: To support blob URIs used by Osano, add blob: as an allowed source in your CSP.
Example: (Example purposes only - must be configured to meet your CSP needs)
Nonce Support: For enhanced security, you can use a nonce to allow specific inline scripts while restricting others. To implement nonce-based CSP for Osano, assign a unique nonce attribute to inline scripts and include that nonce in the CSP.
Example with Nonce:(Example purposes only - must be configured to meet your CSP needs)
Replace <unique-nonce> with a generated value for each request.
Allow Specific Domains: To ensure full functionality, add allowances for style-src, script-src, frame-src, connect-src, and worker-src for the osano.com domain. You can set *.osano.com as an allowed domain or specify the following subdomains:
-
consent.api.osano.comtattle.api.osano.comcmp.osano.comdisclosure.api.osano.com