Skip to main content

Content Security Policy

If you are using a Content Security Policy (CSP) configuration, you need to add some specific settings when using a stock runner. Stock runners allow the use of custom fonts, images, and videos from YouTube and Vimeo. So these services must be allowed by your CSP configuration.

💯 Optimizing your CSP configuration

Make sure to update the following CSP directives:

  • font-src: Allow https: and data: as source;
  • img-src: Allow https: and data: as source;
  • media-src: Allow https: as source;
  • frame-src: Allow *, *, and * as source.

Only allow data: as source for the font-src and img-src directives if you want to enable your users to supply data URLs.

📃 Example CSP configuration

default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
img-src 'self' https: data:;
media-src 'self' https: https:;
frame-src 'self' * * *;
frame-ancestors 'none';
object-src 'none';
style-src 'self'