Skip to content

Content Security Policy

The HTTP response header Content-Security-Policy allows site administrators to control which resources a user agent can load for a given page. With few exceptions, the policy primarily involves specifying the source of servers and script endpoints, thereby helping prevent cross-site scripting attacks (Cross-Site Script).

For more details, refer to Content-Security-Policy

Multiple Content Security Policies

CSP allows multiple policies to be specified within one resource, including through the Content-Security-Policy header, the Content-Security-Policy-Report-Only header, and the meta component.

Example:

// header
Content-Security-Policy: connect-src http://example.com/;
                         script-src http://example.com/

// meta tag
<meta http-equiv="Content-Security-Policy" content="connect-src http://example.com/;
                         script-src http://example.com/">

How to integrate the RUM SDK in your website application using CSP

If your website application is using CSP, after integrating the Guance RUM SDK, you may see security violation warnings in the browser. You need to add the following URLs to the corresponding directives:

Datakit Reporting URLs

Dependent on the datakitOrigin option in the RUM SDK Initialization Configuration:

 DATAFLUX_RUM.init({
      ...
      datakitOrigin: 'https://test.dk.com',
      ...
    })

In the CSP security directive, please add the following entries:

    connect-src https://*.dk.com

Web Worker

If you have enabled the RUM SDK Session Replay feature or added the compressIntakeRequests configuration in the RUM initialization configuration, ensure that the following worker-src entry is added:

 worker-src blob:;

Starting from SDK version >=3.2.0, self-hosting webworker files is supported. Add workerUrl in the SDK configuration to specify the hosting address. The worker file can be obtained in two ways:

  1. Download from the official Guance address https://static.guance.com/browser-sdk/v3/worker.js.
  2. Install the @cloudcare/browser-worker NPM package and use a build tool to include it in the build assets (see the documentation for Webpack 4, Webpack 5, Vite, and Rollup).
Prerequisites
  • Host the file on the same origin as your web application. Due to browser restrictions, it cannot be hosted on a separate domain (e.g., third-party CDN host) or other schemes.
  • Ensure SDK version >=3.2.0.

CDN Address

If you are introducing the RUM SDK using CDN asynchronous or CDN synchronous, please add the following script-src entry:

script-src https://static.guance.com

Feedback

Is this page helpful? ×