Content Security Policy

If you are using a Content Security Policy (CSP) configuration, you need to add some specific settings when using a stock runner. Stock runners allow the use of custom fonts, images, and videos from YouTube and Vimeo. So these services must be allowed by your CSP configuration.

💯 Optimizing your CSP configuration

Make sure to update the following CSP directives:

font-src: Allow https: and data: as source;
img-src: Allow https: and data: as source;
media-src: Allow https: as source;
frame-src: Allow *.youtube.com, *.youtube-nocookie.com, and *.vimeo.com as source.

tip

Only allow data: as source for the font-src and img-src directives if you want to enable your users to supply data URLs.

📃 Example CSP configuration

Content-Security-Policy:
  default-src 'self';
  base-uri 'self';
  block-all-mixed-content;
  font-src 'self' https: data:;
  img-src 'self' https: data:;
  media-src 'self' https: https:;
  frame-src 'self' *.youtube.com *.youtube-nocookie.com *.vimeo.com;
  frame-ancestors 'none';
  object-src 'none';
  style-src 'self'

Content Security Policy

💯 Optimizing your CSP configuration​

📃 Example CSP configuration​

💯 Optimizing your CSP configuration

📃 Example CSP configuration