Content Security Policy Header: How to Whitelist Crobox
In this article we will describe the necessary steps your team will need to take in order to whitelist Crobox in your Content Security Policy header.
What to do if your website enforces a Content Security Policy header:
Crobox loads scripts, fonts, images and fetches data from 2 domains, so you need to add both of the following to your CSP:
cdn.crobox.ioapi.crobox.com
to the script-src, font-src , img-src , fetch-src sections (or default-src if not using those specifics) sections of the CSP header.
Crobox creates the stylesheets dynamically so you will need to add 'unsafe-inline' the style-src section.
Other third-parties that might be used are Google Fonts and Unsplash, so their resources also need to be whitelisted, if not already included in your CSP.
Depending on how strict the policy is applied you might also have to add 'unsafe-eval' to script-src since this is used for the Crobox preview mode.
Last updated