Content Security Policy directives

Content Security Policy (CSP) is a security standard introduced by the World Wide Web Consortium (W3C) to help prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in a trusted web page context.

CSP is typically implemented as an HTTP response header named Content-Security-Policy, which allows you to restrict how resources such as JavaScript, CSS, fonts, images, and other content are loaded and executed by the browser. By specifying a set of directives, you can control the sources of content that the browser is allowed to load, thus mitigating the risk of content injection attacks.

CSP is supported by all modern browsers, including Chrome, Firefox, Safari, Edge, and Opera. It has been widely adopted and supported for many years. Please note that Internet Explorer does not support CSP.

The Content-Security-Policy header value consists of one or more directives, separated by semicolons. Each directive specifies a policy for a specific resource type or behavior. The directives necessary for the Fundraise Up platform to function properly are listed below:

4  *
5  *
6  *           // optional, for PayPal
7  *    // optional, for PayPal
8         // optional, for Google Pay
9 // optional, for Google Pay
10       // optional, for UK based accounts
13  *
14  *
16         // optional, for Google Pay
17  *           // optional, for PayPal
18  *    // optional, for PayPal
21   *
22   *
23   *          // optional, for PayPal
24        // optional, for Google Pay
27   data:
28   *
30        // optional, for Google Pay
31   *   // optional, for PayPal
34   *
35   *
38  'unsafe-inline'

Special note for payment methods using pop-ups

Some payment methods, such as Google Pay and PayPal, open a pop-up window during the payment flow. For these payment methods to function properly, the following additional CSP header needs to be set:

1Cross-Origin-Opener-Policy: same-origin-allow-popups

Without this header, the payment pop-up may not open correctly and could display an error to the user. To ensure a smooth donation process for your supporters across all browsers, it's highly recommended to include this header when using payment methods that rely on pop-ups.

Still need help?

Need help with something not covered in Support Center? Connect with a support engineer for more assistance.
Email us