Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
If enabling CSP and the web server is configured to return the Content-Security-Policy for inline styles, a pinned version of messenger will be required to ensure that the secure hash algorithm (SHA
) does not change and therefore break the content policy.
If using version pinning - the following script URLs can be used within the client script
//lightning.production.helium.servismatrixcdn.com/v2/<version_number>/bundle-messenger.js
//lightning.us1.helium.servismatrixcdn.com/v2/<version_number>/bundle-messenger.js
If setting a CSP
of style-src 'self'
a SHA
must be provided as part of the CSP
content as follows
<meta
http-equiv="Content-Security-Policy"
content="
style-src 'self' fonts.googleapis.com cdn.jsdelivr.net cdn.datatables.net *.servismatrixcdn.com *.servismatrix.com sborg-heupper-stgevopayments.s3.amazonaws.com cognito-identity.eu-west-1.amazonaws.com 'sha256-<value_here>';
"
/>