What is Content Security Protocol?
In the simplest terms, a Content Security Protocol (CSP) is an HTTP response header that informs the browser what it is allowed to do. You control various security aspects through the use of directives which are assigned permissions. Using a strict CSP helps you prevent Cross Site Scripting (XSS) attacks from malicious users. This article explains more about CSP and how to apply a Content Security Protocol header to your site.
Directives that Cookiebot Supports
Cookiebot supports the following directives (your organization's security protocol requirements might be different):
default-src | 'self' |
script-src | 'nonce-XXXXXXXXXX' 'strict-dynamic' A nonce (a value that is only used once) should be dynamically generated and applied to script tags on each page load. Users may also opt to use a hash value, please see this documentation on how to apply your script-src value. |
style-src | 'self' 'unsafe-inline' |
connect-src | 'self' https://consentcdn.cookiebot.com https://consent.cookiebot.com |
frame-src | 'self' https://consentcdn.cookiebot.com |
img-src | 'self' data: |
base-uri | 'none' |
object-src | 'none' |
*Note that if you reference https://consent.cookiebot.eu/uc.js, you would also need to update the links above with .eu. For example:
connect-src | 'self' https://consentcdn.cookiebot.eu https://consent.cookiebot.eu |
An example CSP implementation using the directives above in a meta
tag would look this:
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self';
script-src 'nonce-XXXXXXXXXX' 'strict-dynamic';
style-src 'self' 'unsafe-inline';
connect-src 'self' https://consentcdn.cookiebot.com https://consent.cookiebot.com;
frame-src 'self' https://consentcdn.cookiebot.com;
img-src 'self' data:;
base-uri 'none';
object-src 'none'"
>
<script
id="Cookiebot"
src="https://consent.cookiebot.com/uc.js"
data-cbid="00000000-0000-0000-0000-000000000000"
type="text/javascript"
nonce="XXXXXXXXXX"
></script>
<script
id="CookieDeclaration"
src="https://consent.cookiebot.com/00000000-0000-0000-0000-000000000000/cd.js"
type="text/javascript"
nonce="XXXXXXXXXX"
async
></script>
Evaluating Your Content Security Protocol
We have evaluated our support against CSP Version 3 using Google's CSP Evaluator. Our CSP support provides safe evaluation for all the directives indicated above. This support will be validated for each change we make.
Limitations
Cookiebot’s CSP support is not fully compatible with Automatic Cookie Blocking. If your site contains script tags without a src attribute, we cannot determine the policy to apply to the element and the script will run regardless of the CSP applied. Please fully test your site for functionality before trying to use Automatic Cookie Blocking with a CSP header.
Comments
1 comment
Please make this work without having to enable 'unsafe-inline' scripts. As the keyword suggest, I have to open a security hole to make Cookiebot work.
Please sign in to leave a comment.