...
Fetch Directive | Domains | Extra* |
---|---|---|
script-src | https://*.mopinion.com | ‘unsafe-inline' OR ‘nonce-{{YOUR-NONCE}}’ OR load from separate source. The 'unsafe-inline' setting is only needed when the Mopinion deploymentcode is loaded inline in the HTML of the page. When using a tag manager or loading the Mopinion deployment code from a file ‘unsafe-inline’ for the script-src can be removed from the CSP. |
style-src | https://*.mopinion.com https://fonts.googleapis.com | Either ‘unsafe-inline' OR a ‘nonce-{{YOUR-NONCE}}’ is required regardless of whether the Mopinion deployment code is loaded inline in the HTML of the page, using a tag manager or loading the script from a separate source. |
frame-src | https://*.mopinion.com | |
connect-src | https://*.mopinion.com | |
img-src | https://*.mopinion.com | |
font-src | 'self' data: https://*.mopinion.com https://fonts.gstatic.com |
Example in Nginx:
Code Block |
---|
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' https://*.mopinion.com; style-src 'self' https://*.mopinion.com https://fonts.googleapis.com; frame-src https://*.mopinion.com; connect-src https://*.mopinion.com; font-src 'self' data: https://*.mopinion.com https://fonts.gstatic.com;"; |
...