Content Security Policy directives
Content Security Policy (CSP) is a security standard introduced by the World Wide Web Consortium (W3C) to help prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in a trusted web page context.
CSP is typically implemented as an HTTP response header named Content-Security-Policy
, which allows you to restrict how resources such as JavaScript, CSS, fonts, images, and other content are loaded and executed by the browser. By specifying a set of directives, you can control the sources of content that the browser is allowed to load, thus mitigating the risk of content injection attacks.
CSP is supported by all modern browsers, including Chrome, Firefox, Safari, Edge, and Opera. It has been widely adopted and supported for many years. Please note that Internet Explorer does not support CSP.
The Content-Security-Policy
header value consists of one or more directives, separated by semicolons. Each directive specifies a policy for a specific resource type or behavior. The directives necessary for the Fundraise Up platform to function properly are listed below:
1connect-src
2 fndrsp.net
3 fndrsp-checkout.net
4 *.fundraiseup.com
5 *.stripe.com
6 *.paypal.com // optional, for PayPal
7 *.paypalobjects.com // optional, for PayPal
8 pay.google.com // optional, for Google Pay
9 https://google.com/pay // optional, for Google Pay
10 api.addressy.com // optional, for UK based accounts
11
12script-src
13 *.fundraiseup.com
14 *.stripe.com
15 m.stripe.network
16 pay.google.com // optional, for Google Pay
17 *.paypal.com // optional, for PayPal
18 *.paypalobjects.com // optional, for PayPal
19
20frame-src
21 *.fundraiseup.com
22 *.stripe.com
23 *.paypal.com // optional, for PayPal
24 pay.google.com // optional, for Google Pay
25
26img-src
27 data:
28 *.fundraiseup.com
29 ucarecdn.com
30 pay.google.com // optional, for Google Pay
31 *.paypalobjects.com // optional, for PayPal
32
33font-src
34 *.fundraiseup.com
35 *.stripe.com
36
37style-src
38 'unsafe-inline'
Special note for payment methods using pop-ups
Some payment methods, such as Google Pay and PayPal, open a pop-up window during the payment flow. For these payment methods to function properly, the following additional CSP header needs to be set:
1Cross-Origin-Opener-Policy: same-origin-allow-popups
Without this header, the payment pop-up may not open correctly and could display an error to the user. To ensure a smooth donation process for your supporters across all browsers, it's highly recommended to include this header when using payment methods that rely on pop-ups.