Market Ruler HelpDifference between revisions of "ConversionRuler Content Security Policy for Installations"
From Market Ruler Help
(Created page with "For sites which have Content Security Policy (or CSP) headers enabled for more advanced security. Your web server administrator will need to configure your web server...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
For sites which have [[Content Security Policy]] (or [[CSP]]) headers enabled for more advanced security. | For sites which have [[Content Security Policy]] (or [[CSP]]) headers enabled for more advanced security. | ||
| − | Your web server administrator will need to configure your web server to add | + | Your web server administrator will need to configure your web server to add our tracking domains to the `Content-Security-Policy` headers for your site to enable our code to communicate with the our servers. |
| − | ConversionRuler | + | ConversionRuler installations require the following permissions: |
* <code>script-src</code> for loading our report script | * <code>script-src</code> for loading our report script | ||
* <code>connect-src</code> for tracking | * <code>connect-src</code> for tracking | ||
* <code>img-src</code> for image tracking (alternate method) | * <code>img-src</code> for image tracking (alternate method) | ||
| + | |||
| + | And the domains to be added are: | ||
| + | |||
| + | *.ruler.to | ||
| + | *.conversionruler.com | ||
| + | |||
| + | These domains are used for both serving the JavaScript tracking code as well as receiving individual tracking messages. | ||
An example Content Security Policy header looks like: | An example Content Security Policy header looks like: | ||
| Line 15: | Line 22: | ||
Which formatted a little more clearly is: | Which formatted a little more clearly is: | ||
| − | default-src 'self'; | + | Content-Security-Policy: |
| − | + | default-src 'self'; | |
| − | + | connect-src 'self' *.ruler.to *.conversionruler.com; | |
| − | + | frame-ancestors 'self'; | |
| − | + | frame-src 'self'; | |
| − | + | img-src * data:; | |
| − | + | media-src 'self' | |
| − | + | data: blob:; | |
| − | + | object-src 'none'; | |
| − | + | script-src 'strict-dynamic' 'self' *.ruler.to *.conversionruler.com blob:; | |
| − | + | style-src 'self' 'unsafe-inline' cdn.example.com; | |
| + | worker-src 'self' blob:; | ||
Techniques to add this to your web server configuration are beyond the scope of this article but searching for '''Custom HTTP headers''' in your web server or web server provider's documentation should provide information on how to configure this header. | Techniques to add this to your web server configuration are beyond the scope of this article but searching for '''Custom HTTP headers''' in your web server or web server provider's documentation should provide information on how to configure this header. | ||
[[Category:ConversionRuler Installation]] | [[Category:ConversionRuler Installation]] | ||
Latest revision as of 19:51, 4 February 2026
For sites which have Content Security Policy (or CSP) headers enabled for more advanced security.
Your web server administrator will need to configure your web server to add our tracking domains to the `Content-Security-Policy` headers for your site to enable our code to communicate with the our servers.
ConversionRuler installations require the following permissions:
-
script-srcfor loading our report script -
connect-srcfor tracking -
img-srcfor image tracking (alternate method)
And the domains to be added are:
*.ruler.to *.conversionruler.com
These domains are used for both serving the JavaScript tracking code as well as receiving individual tracking messages.
An example Content Security Policy header looks like:
Content-Security-Policy: default-src 'self'; connect-src 'self' *.ruler.to *.conversionruler.com; frame-ancestors 'self'; frame-src 'self'; img-src * data:; media-src 'self' data: blob:; object-src 'none'; script-src 'strict-dynamic' 'self' *.ruler.to *.conversionruler.com blob:; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com; worker-src 'self' blob:;
Which formatted a little more clearly is:
Content-Security-Policy: default-src 'self'; connect-src 'self' *.ruler.to *.conversionruler.com; frame-ancestors 'self'; frame-src 'self'; img-src * data:; media-src 'self' data: blob:; object-src 'none'; script-src 'strict-dynamic' 'self' *.ruler.to *.conversionruler.com blob:; style-src 'self' 'unsafe-inline' cdn.example.com; worker-src 'self' blob:;
Techniques to add this to your web server configuration are beyond the scope of this article but searching for Custom HTTP headers in your web server or web server provider's documentation should provide information on how to configure this header.