Geek Answers Handbook

CSP - Whitelist Content Location: Does it work on a site that has tracking and affiliate marketing?

CSP uses a whitelist of domains that can host content.

Can this work with affiliate marketing website? As a rule, on the page "order completed" there is an iframe on which the script is placed, which is under the control of the partner-partner.

It would be nice to rename the domain of the script branch, but I do not control what the script does: I am pretty sure that it will load other content that is not a whitelistet.

Does anyone have good or bad experience working with affiliate scripts and CSP?

+4
source share
2 answers

Regarding this article, you need to assign a whitelist to each source from which you download scripts. Each source for each data type.

http://www.domblogger.net/Security/CSP

Affiliate script material (I've seen so far) never calls scripts from level 2. Scripts execute requests for processing data on the server side, and there are redirects of this request for receiving cookies in your browser, for example.

Technically, you can run affiliate material with unknown sources using "unsafe-inline". But this is not recommended.

+1
source

Unfortunately, advertisers are not always trusted, because of the resale of the ad space, you can show ads on ad networks that you don’t deal with directly and potentially run malware on your clients.

As for CSP: if you punch too many holes in the rules, it will become useless. There are a few things you can do, for example: an iframe sandbox

Alternatively, you can allow ads that use a secure subset of JavaScript (this check can be performed statically). "Safe" means that the document object will not be modified, etc. - The client should remain unaffected, even if the ad network is malicious.

An example is promiment ADsafe , but there are other options.

+1
source

More articles:


All Articles