Cookies Setup
      Back to home
      1. Knowledge Centre
      2. Cookies Setup

      Content Security Protocol (CSP)

      Implementing CSP with your Dataships Cookie Banner

      What is Content Security Protocol?

      In the simplest terms, a Content Security Protocol (CSP) is an HTTP response header that informs the browser what it is allowed to do. You control various security aspects through the use of directives which are assigned permissions. Using a strict CSP helps you prevent Cross Site Scripting (XSS) attacks from malicious users. This article explains more about CSP and how to apply a Content Security Protocol header to your site.

      Directives that the Cookie banner Supports

      The following directives are supported (your organization's security protocol requirements might be different):

      default-src

      		 'self'
      script-src 'nonce-XXXXXXXXXX' 'strict-dynamic'

      A nonce (a value that is only used once) should be dynamically generated and applied to script tags on each page load. Users may also opt to use a hash value, please see this documentation on how to apply your script-src value.
      style-src 'self' 'unsafe-inline'
      connect-src 'self' https://consentcdn.cookiebot.com
      frame-src 'self' https://consentcdn.cookiebot.com
      img-src 'self' data:
      base-uri 'none'
      object-src 'none'

      An example CSP implementation using the directives above in a meta tag would look this:

      <meta 
        http-equiv="Content-Security-Policy"
        content="
          default-src 'self'; 
          script-src 'nonce-XXXXXXXXXX' 'strict-dynamic'; 
          style-src 'self' 'unsafe-inline'; 
          connect-src 'self' https://consentcdn.cookiebot.com; 
          frame-src 'self' https://consentcdn.cookiebot.com;
          img-src 'self' data:; 
          base-uri 'none'; 
          object-src 'none'
        "
      >

      Cookie banner script example: 

      <script
        id="Cookiebot"
        src="https://consent.cookiebot.com/uc.js"
        data-cbid="00000000-0000-0000-0000-000000000000"
        type="text/javascript"
        nonce="XXXXXXXXXX"
      ></script>

      CookieDeclaration script example:

      <script
        id="CookieDeclaration"
        src="https://consent.cookiebot.com/00000000-0000-0000-0000-000000000000/cd.js"
        type="text/javascript"
        nonce="XXXXXXXXXX
        async
      ></script>

      Evaluating Your Content Security Protocol

      We have evaluated our support against CSP Version 3 using Google's CSP Evaluator. CSP support provides safe evaluation for all the directives indicated above. This support will be validated for each change made.

      Limitations

      CSP support is not fully compatible with Automatic Cookie Blocking. If your site contains script tags without a src attribute, we cannot determine the policy to apply to the element and the script will run regardless of the CSP applied. Please fully test your site for functionality before trying to use Automatic Cookie Blocking with a CSP header.