Skip to content

Content Security Policy

Jump to bottom
Will Morgan edited this page Nov 20, 2020 · 7 revisions

Target SDK Version: 3.1+

iProov has been asked to provide guidance to certain customers around the deployment of CSP. Prior to version 3.1, we have required unsafe-eval, but this is something that we have avoided from 3.1.0 onwards. As we rely on using WebAssembly, and to date browser vendors and working groups not converged on this technology with regard to CSP, it's complicated.

There are currently proposals in motion to add a specific exception for WASM, while continuing to block eval in JavaScript, which should allow us to provide a single recommendation that would apply to all modern browsers once universally available.

Until that time, we can offer a tiered-browser approach to CSP, as Safari behaves differently from others.

Recommended Configuration Additions

In order for us to support our customers deploying CSP, we advise the below configurations as a starting point.

  • If you set custom base_url or assets_url settings, then *.secure.iproov.me and cdn.iproov.app will need to be interchanged respectively.
  • If you serve Web SDK assets from the same origin, then workers shall be instantiated directly. Otherwise the cross-origin Worker pattern is used, which requires blob: in worker-src and child-src as appropriate.
  • Combine the CSP_NONCE_ATTRIBUTE with the csp_nonce option available starting in 3.1.0-beta.3.
  • If you do not wish to use a nonce, then it can be substituted with unsafe-inline instead.

A-Grade (CSP Level 3 Browsers like Chrome, Edge, Firefox)

default-src 'self' https: cdn.iproov.app;
font-src 'self';
script-src https: blob: cdn.iproov.app;
style-src https: cdn.iproov.app 'nonce-CSP_NONCE_ATTRIBUTE';
worker-src blob: https: cdn.iproov.app;
connect-src https: wss: *.secure.iproov.me;

B-Grade (Safari)

default-src 'self' https: cdn.iproov.app;
font-src 'self';
script-src https: blob: cdn.iproov.app 'unsafe-eval';
style-src https: cdn.iproov.app 'nonce-CSP_NONCE_ATTRIBUTE';
worker-src blob: https: cdn.iproov.app;
child-src blob: https: cdn.iproov.app;
connect-src https: wss: *.secure.iproov.me;

Note that:

  • This advice is relevant to Web SDK 3.1.0 GA.
  • There is no one-size-fits-all CSP template.
  • These requirements will change according to how the Web SDK is integrated into your web app.

Why do you require a nonce or unsafe-inline for style-src?

We deliver a small payload of inline CSS to ensure <iproov-me> won't cause a FOUC before, during or after it loads into the DOM. It is more convenient for all if the component self-manages its critical render path; in this way, no configuration is needed from the integration team.

Known issues

  • As of November 2020, there is a single CSP exception that is emitted from our web component wrapper if unsafe-inline is not specified within script-src. This can be safely ignored.
  • As of November 2020, script-src unsafe-eval is required in Safari for the correct operation of any WebAssembly module.

iProov's ultimate goal is to ensure that our SDK requires minimal content security modification beyond allowlisting the base (streaming) and asset URLs.

Clone this wiki locally