Implementing CSP with your Dataships Cookie Banner
What is Content Security Protocol?
In the simplest terms, a Content Security Protocol (CSP) is an HTTP response header that informs the browser what it is allowed to do. You control various security aspects through the use of directives which are assigned permissions. Using a strict CSP helps you prevent Cross Site Scripting (XSS) attacks from malicious users. This article explains more about CSP and how to apply a Content Security Protocol header to your site.
Directives that the Cookie banner Supports
The following directives are supported (your organization's security protocol requirements might be different):
default-src |
'self' |
script-src | 'nonce-XXXXXXXXXX' 'strict-dynamic' A nonce (a value that is only used once) should be dynamically generated and applied to script tags on each page load. Users may also opt to use a hash value, please see this documentation on how to apply your script-src value. |
style-src | 'self' 'unsafe-inline' |
connect-src | 'self' https://consentcdn.cookiebot.com |
frame-src | 'self' https://consentcdn.cookiebot.com |
img-src | 'self' data: |
base-uri | 'none' |
object-src | 'none' |
An example CSP implementation using the directives above in a meta tag would look this:
<meta
http-equiv="Content-Security-Policy"
content="
default-src 'self';
script-src 'nonce-XXXXXXXXXX' 'strict-dynamic';
style-src 'self' 'unsafe-inline';
connect-src 'self' https://consentcdn.cookiebot.com;
frame-src 'self' https://consentcdn.cookiebot.com;
img-src 'self' data:;
base-uri 'none';
object-src 'none'
"
>
Cookie banner script example:
<script
id="Cookiebot"
src="https://consent.cookiebot.com/uc.js"
data-cbid="00000000-0000-0000-0000-000000000000"
type="text/javascript"
nonce="XXXXXXXXXX"
></script>
CookieDeclaration script example:
<script
id="CookieDeclaration"
src="https://consent.cookiebot.com/00000000-0000-0000-0000-000000000000/cd.js"
type="text/javascript"
nonce="XXXXXXXXXX
async
></script>
Evaluating Your Content Security Protocol
We have evaluated our support against CSP Version 3 using Google's CSP Evaluator. CSP support provides safe evaluation for all the directives indicated above. This support will be validated for each change made.
Limitations
CSP support is not fully compatible with Automatic Cookie Blocking. If your site contains script tags without a src attribute, we cannot determine the policy to apply to the element and the script will run regardless of the CSP applied. Please fully test your site for functionality before trying to use Automatic Cookie Blocking with a CSP header.