Difference between revisions of "ConversionRuler Content Security Policy for Installations"

For sites which have Content Security Policy (or CSP) headers enabled for more advanced security.

Your web server administrator will need to configure your web server to add ConversionRuler's domains to the `Content-Security-Policy` headers for your site to enable ConversionRuler to communicate with the tracking servers.

ConversionRuler requires the following permissions:

• script-src for loading our report script
• connect-src for tracking
• img-src for image tracking (alternate method)

And the domains to be added are:

*.ruler.to
*.conversionruler.com

These domains are used for both serving the JavaScript tracking code as well as receiving individual tracking messages.

An example Content Security Policy header looks like:

Content-Security-Policy: default-src 'self'; connect-src 'self' *.ruler.to *.conversionruler.com; frame-ancestors 'self'; frame-src 'self'; img-src * data:; media-src 'self' data: blob:; object-src 'none'; script-src 'strict-dynamic' 'self' *.ruler.to *.conversionruler.com blob:; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com; worker-src 'self' blob:;

Which formatted a little more clearly is:

default-src 'self'; 
connect-src 'self' *.ruler.to *.conversionruler.com; 
frame-ancestors 'self'; 
frame-src 'self'; 
img-src * data:; 
media-src 'self' 
data: blob:; 
object-src 'none'; 
script-src 'strict-dynamic' 'self' *.ruler.to *.conversionruler.com blob:; 
style-src 'self' 'unsafe-inline' cdn.example.com; 
worker-src 'self' blob:;

Techniques to add this to your web server configuration are beyond the scope of this article but searching for Custom HTTP headers in your web server or web server provider's documentation should provide information on how to configure this header.