Using the Minerva SDK with your Content Security Policy

All the Minerva domains to allow in your CSP

Overview

A Content Security Policy (CSP) is a security mechanism for modern browsers that can restrict capabilities on a web page in order to protect end users from a range of possible injection attacks, including cross-site scripting (XSS).

This article identifies the required CSP directives to allow full Minerva SDK functionality.

CSP requirements

The following are required if your CSP defines an allowed list of domains for a particular directive.

For example, if your CSP defines a directive of “script-src https:”, then you do not need to specify the “*.minervaknows.com” hosts because “https:” is a more generic value. Also, if your CSP defines a particular directive (e.g., connect-src), then please include the Minerva domain(s) to ensure continued SDK functionality.

child-src:

  https://sdk-services.minervaknows.com


​​connect-src:

  https://api.minervaknows.com

  https://sdk.minervaknows.com


script-src:

  https://sdk.minervaknows.com

  https://sdk-services.minervaknows.com


style-src:

  'unsafe-inline'

We aim to promote best practices for the modern web, so our goal is to support full Minerva SDK functionality with a strict CSP.

Conclusion

Adopting a CSP is a great way to add a layer of security to your web applications. If you need help with your CSP and the Minerva SDK, send us a message. We’re happy to help!