Iubenda logo
Start generating

Documentation

Table of Contents

How to Configure your Content Security Policy for iubenda

This guide is for website administrators that use a Content Security Policy (CSP) on their site.

Because a CSP allows website administrators to specify which domains the browser should consider to be valid sources of executable scripts, a CSP compatible browser will only execute scripts loaded in source files received from those whitelisted domains, ignoring all other scripts.

This can cause some conflict with our Privacy and Cookie Policy, Terms and Conditions, Cookie Solution and Consent Database scripts as you can imagine, however, there is a simple fix.

How to Fix Conflicts Between Your CSP and iubenda

Here’s how to whitelist our Privacy and Cookie Policy, Terms and Conditions, Cookie Solution and Consent Database scripts, so that they can work properly with your CSP:

1. Add a nonce to inline scripts

First of all, you’ll need to use a cryptographic nonce (number used once), giving iubenda script tag a nonce attribute. The nonce value must match one in the list of trusted sources. For example:

<script type="text/javascript" nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
  //iubenda snippet
</script>

Now, add the nonce to your script-src directive, appended to the nonce- keyword:

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

So, for example, in Cookie Solution’s case, the implementation will look something like:

<script type="text/javascript" nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
    var _iub = _iub || [];
    _iub.csConfiguration = {
        "lang": "en",
        "siteId": 12345678
        "cookiePolicyId": 12345678
        "banner": {
            "position": "float-top-center",
            "acceptButtonDisplay": true,
            "customizeButtonDisplay": true
        }
    };
</script>
<script type="text/javascript" src="//cdn.iubenda.com/cs/iubenda_cs.js" charset="UTF-8" async></script>

Please note that the nonce has been added only to the inline script. We’ll see how to handle external scripts in the next step.

Important

Remember that nonces must be regenerated for every page request and they must be unguessable.

2. Whitelist iubenda’s domain for external scripts

Now you need to allow content from iubenda’s domain and subdomains so that external scripts can load from there. Here’s how to configure the Content Security Policy:

Content-Security-Policy: 
  default-src 'self'; 
  script-src 'self' *.iubenda.com 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa' 'unsafe-eval'; 
  connect-src *.iubenda.com; 
  style-src 'unsafe-inline' *.iubenda.com; 
  frame-src *.iubenda.com; 
  img-src *.iubenda.com data:

And that’s it. You can find more information about CSP and common use cases at MDN Web Docs.