Content Security Policy directives

Platform basics

Content Security Policy (CSP) is a security standard introduced by the World Wide Web Consortium (W3C) to help prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in a trusted web page context.

CSP is typically implemented as an HTTP response header named Content-Security-Policy, which allows you to restrict how resources such as JavaScript, CSS, fonts, images, and other content are loaded and executed by the browser. By specifying a set of directives, you can control the sources of content that the browser is allowed to load, thus mitigating the risk of content injection attacks.

CSP is supported by all modern browsers, including Chrome, Firefox, Safari, Edge, and Opera. It has been widely adopted and supported for many years. Please note that Internet Explorer does not support CSP.

The Content-Security-Policy header value consists of one or more directives, separated by semicolons. Each directive specifies a policy for a specific resource type or behavior. The directives necessary for the Fundraise Up platform to function properly are listed below:

1connect-src
2  fndrsp.net
3  fndrsp-checkout.net
4  *.fundraiseup.com
5  *.stripe.com
6  *.paypal.com           // optional, for PayPal
7  *.paypalobjects.com    // optional, for PayPal
8  pay.google.com         // optional, for Google Pay
9  https://google.com/pay // optional, for Google Pay
10  api.addressy.com       // optional, for UK based accounts
11
12script-src
13  *.fundraiseup.com
14  *.stripe.com
15  m.stripe.network
16  pay.google.com         // optional, for Google Pay
17  *.paypal.com           // optional, for PayPal
18  *.paypalobjects.com    // optional, for PayPal
19
20frame-src
21   *.fundraiseup.com
22   *.stripe.com
23   *.paypal.com          // optional, for PayPal
24   pay.google.com        // optional, for Google Pay
25
26img-src
27   data:
28   *.fundraiseup.com
29   ucarecdn.com
30   pay.google.com        // optional, for Google Pay
31   *.paypalobjects.com   // optional, for PayPal
32
33font-src
34   *.fundraiseup.com
35   *.stripe.com
36
37style-src
38  'unsafe-inline'

Special note for payment methods using pop-ups

Some payment methods, such as Google Pay and PayPal, open a pop-up window during the payment flow. For these payment methods to function properly, the following additional CSP header needs to be set:

1Cross-Origin-Opener-Policy: same-origin-allow-popups

Without this header, the payment pop-up may not open correctly and could display an error to the user. To ensure a smooth donation process for your supporters across all browsers, it's highly recommended to include this header when using payment methods that rely on pop-ups.

Top Topics
Platform basics
Dashboard
Integrations
Payments
Payment methods
Checkout
Donor Portal
Elements
Stripe
Quickstarts
PayPal
JavaScript API
Apple Pay
Salesforce
WordPress

Still need help?

Need help with something not covered in Support Center? Connect with a support engineer for more assistance.
Email us