Skip to main content

Content Security Policy

The builder supports the use of trusted-types. Therefore, it is essential to specify the required policy names for the builder if you are using a Content Security Policy (CSP) configuration with trusted-types enabled.

The builder uses three policy names:

  • tripetto: This policy name is used when writing to the DOM;
  • tripetto#loader: This policy name is used when loading builder block script UMD bundles through the Tripetto Builder package;
  • tripetto#runner: This policy name is used when loading runner block script UMD bundles through the Tripetto Runner Foundation package.

The tripetto policy is always required. The tripetto#loader policy only applies when your application dynamically loads builder block UMD bundles. The tripetto#runner policy only applies when your application dynamically loads runner block UMD bundles.

Example‚Äč

Content-Security-Policy: trusted-types tripetto tripetto#loader;
danger

If your application also contains a runner (for example a live preview), then you need some additional CSP settings to let the runner work properly. See the Runner CSP guide for details.