How do I set my CSP header?

Some websites don't allow resources from a different domain, other than that of itself, to be loaded. If you want your website to have Mopinion feedback forms it can be necessary to add HTTP headers. For more information on Content Security Policy headers please see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

Content Security Policy (CSP) header

Below you will find the domain Mopinion uses and an example of how this should be defined in Nginx.

Type

Domains

Extra*

Type

Domains

Extra*

script-src

https://*.mopinion.com

'unsafe-inline'

style-src

https://*.mopinion.com https://fonts.googleapis.com

 

frame-src

https://*.mopinion.com

 

connect-src

http://*.mopinion.com

 

img-src

https://*.mopinion.com

 

font-src

'self' data: https://*.mopinion.com https://fonts.gstatic.com

 

*The 'unsafe-inline' setting is only needed when the script is loaded inline in the HTML of the page. When using a tag manager or loading the script from a file ‘unsafe-inline’ can be removed from the CSP.

Example in Nginx:

1 add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' https://*.mopinion.com; style-src 'self' https://*.mopinion.com https://fonts.googleapis.com; frame-src https://*.mopinion.com; connect-src https://*.mopinion.com; font-src 'self' data: https://*.mopinion.com https://fonts.gstatic.com;";

CORS header

1 2 3 4 <IfModule mod_headers.c> <FilesMatch "\.(ttf|ttc|otf|eot|woff| woff2|font.css|css|js)$"> Header set Access-Control-Allow-Origin "*.mopinion.com" </FilesMatch>

For more information on Cross-Origin Resource Sharing (CORS) please see this article about CORS at MDN web docs.