Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to malware distribution.
Here is the basic list of rules needed for the jQuery File Uploader:
We use iframe to integrate external upload sources.
You MUST add this rule if you are using an external upload
source (such as Facebook or Google Drive).
The list of all available upload sources is here.
This rule applies if you integrate File Uploader via the script tag. Here you should specify the list of URLs that you use to connect the File Uploader.
The example above specifies two URLs:
https://ucarecdn.com/libs/widget/3.x/uploadcare.full.min.jshttps://ucarecdn.com/libs/widget-tab-effects/1.x/uploadcare.tab-effects.jsThose are File Uploader full minified bundle and Effects Tab bundle.
Here, https://ucarecdn.com is our default CDN.
You should change it in case you’re using Custom CDN CNAME.
blob: and data: are needed to be able to show previews
before file upload.
The example above specifies two SHA hashes: File Uploader styles and Effects Tab styles.
File Uploader adds inline styles dynamically, so you need to specify SHA hash for those styles or use the unsafe-inline flag, which is highly unrecommended.
To calculate SHA hash, you could use Chrome Developer Tools:
Here is, 'sha256-4G3/zsAXNgsfv+V7zWLxJbqyQgdoBPW9c9QT3xIa6L4=' is the
style’s calculated SHA hash which you can use for style-src rule.
While running, File Uploader could make requests to the following list of domains:
https://upload.uploadcare.com — Upload APIhttps://uploadcare.s3-accelerate.amazonaws.com — Multipart uploadingwss://ws.pusherapp.com or ws://ws.pusherapp.com — Pusher WebSocket server we’re using to track uploading status. Protocol (secure or insecure) depends on window.location.protocol value.