Skip to main content

Content Security Policy

If you are using a Content Security Policy (CSP) configuration, you need to add some specific settings when using a stock runner. Stock runners allow the use of custom fonts, images, and videos from YouTube and Vimeo. So these services must be allowed by your CSP configuration.

💯 Optimizing your CSP configuration

Make sure to update the following CSP directives:

  • font-src: Allow https: and data: as source;
  • img-src: Allow https: and data: as source;
  • media-src: Allow https: as source;
  • frame-src: Allow *.youtube.com, *.youtube-nocookie.com, and *.vimeo.com as source.
tip

Only allow data: as source for the font-src and img-src directives if you want to enable your users to supply data URLs.

📃 Example CSP configuration

Content-Security-Policy:
default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
img-src 'self' https: data:;
media-src 'self' https: https:;
frame-src 'self' *.youtube.com *.youtube-nocookie.com *.vimeo.com;
frame-ancestors 'none';
object-src 'none';
style-src 'self'