Smart UI Security Recommendations

Content Security Policies

When embedding the Smart UI into your applications below are the CSP policies that need to be taken into account.

FrankieOne Content Security Policy

<meta http-equiv="Content-Security-Policy" content="
  default-src 'self' *.frankiefinancial.io;
  style-src 'self' fonts.googleapis.com;
  font-src 'self' fonts.gstatic.com;
  script-src 'self' maps.googleapis.com;
  report-uri *.ingest.sentry.io *.clarity.ms;
  img-src 'self' assets.frankiefinancial.io sync.onfido.com data:;
  connect-src blob: *.onfido.com wss://*.onfido.com;
" />

Onfido Content Security Policy

When using the smart UI with the biometrics component turned on / configured you'll also need to take into account Onfido's Content security policies which can be found in their documentation https://documentation.onfido.com/sdk/web/#content-security-policy-issues

Referrer Headers

Any page that would have the smart UI should allow a referrer to be sent as it’s required for Onfido API requests.

Alternatively if you'd like to have the no-referrer header setting you could update your implementation when getting the token to pass in the referrer that we can use to pass the information to Onfido. Please see our documentation available here https://apidocs.frankiefinancial.com/docs/getting-started


Did this page help you?