ConversionRuler Content Security Policy for Installations

From Market Ruler Help
Jump to: navigation, search

For sites which have Content Security Policy (or CSP) headers enabled for more advanced security.

Your web server administrator will need to configure your web server to add our tracking domains to the `Content-Security-Policy` headers for your site to enable our code to communicate with the our servers.

ConversionRuler installations require the following permissions:

  • script-src for loading our report script
  • connect-src for tracking
  • img-src for image tracking (alternate method)

And the domains to be added are: 

*.ruler.to
*.conversionruler.com

These domains are used for both serving the JavaScript tracking code as well as receiving individual tracking messages.

An example Content Security Policy header looks like: 

Content-Security-Policy: default-src 'self'; connect-src 'self' *.ruler.to *.conversionruler.com; frame-ancestors 'self'; frame-src 'self'; img-src * data:; media-src 'self' data: blob:; object-src 'none'; script-src 'strict-dynamic' 'self' *.ruler.to *.conversionruler.com blob:; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com; worker-src 'self' blob:;

Which formatted a little more clearly is: 

Content-Security-Policy:
  default-src 'self'; 
  connect-src 'self' *.ruler.to *.conversionruler.com; 
  frame-ancestors 'self'; 
  frame-src 'self'; 
  img-src * data:; 
  media-src 'self' 
  data: blob:; 
  object-src 'none'; 
  script-src 'strict-dynamic' 'self' *.ruler.to *.conversionruler.com blob:; 
  style-src 'self' 'unsafe-inline' cdn.example.com; 
  worker-src 'self' blob:;

Techniques to add this to your web server configuration are beyond the scope of this article but searching for Custom HTTP headers in your web server or web server provider's documentation should provide information on how to configure this header.

Retrieved from "https://help.marketruler.com/index.php?title=ConversionRuler_Content_Security_Policy_for_Installations&oldid=1839"