...
Below you will find the domain Mopinion uses and an example of how this should be defined in Nginx.
Type | Domains | Extra* |
|---|---|---|
script-src | https://*.mopinion.com |
‘unsafe-inline' OR ‘nonce-{{YOUR-NONCE}}’ OR load from separate source* | ||
style-src | https://*.mopinion.com https://fonts.googleapis.com | ‘unsafe-inline' OR ‘nonce-{{YOUR-NONCE}}’ |
frame-src | https://*.mopinion.com | |
connect-src | http://*.mopinion.com | |
img-src | https://*.mopinion.com | |
font-src | 'self' data: https://*.mopinion.com https://fonts.gstatic.com |
| Info |
|---|
* The 'unsafe-inline' setting is only needed when the script is loaded inline in the HTML of the page. When using a tag manager or loading the script from a file ‘unsafe-inline’ can be removed from the CSP. |
...
| Code Block |
|---|
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' https://*.mopinion.com; style-src 'self' https://*.mopinion.com https://fonts.googleapis.com; frame-src https://*.mopinion.com; connect-src https://*.mopinion.com; font-src 'self' data: https://*.mopinion.com https://fonts.gstatic.com;"; |
Using a Nonce:
For the style-src a nonce needs to be available on the page. This can be added to the Mopinion script if this is the only script for which a nonce is used. If the nonce is already used it will automatically be picked up by the Mopinion script.
| Code Block |
|---|
<script nonce="{{nonce}}">
...Mopinion script
</script>
|
If a separate nonce is used for the style-src and it’s not used elsewhere on the page add the nonce as follows.
| Code Block |
|---|
<script nonce="{{nonce}}" data-style-nonce="{{stylenonce}}">
...Mopinion script
</script> |
CORS header
| Code Block |
|---|
<IfModule mod_headers.c> <FilesMatch "\.(ttf|ttc|otf|eot|woff| woff2|font.css|css|js)$"> Header set Access-Control-Allow-Origin "*.mopinion.com" </FilesMatch> |
...