CSP and Smart UI Security Recommendations
Content Security Policies
When embedding the Smart UI into your applications, below are the CSP policies that need to be taken into account, in case you use CSP restrictions.
FrankieOne Content Security Policy
<meta http-equiv="Content-Security-Policy" content="
default-src 'self' *.frankiefinancial.io;
style-src 'self' fonts.googleapis.com;
font-src 'self' fonts.gstatic.com;
script-src 'self' maps.googleapis.com;
report-uri *.ingest.sentry.io *.clarity.ms;
img-src 'self' assets.frankiefinancial.io sync.onfido.com data:;
connect-src blob: *.onfido.com wss://*.onfido.com;
" />
Onfido CSP
When using the smart UI with the idScanVerification option turned on, you'll also need to take into account Onfido's Content security policies which can be found in their documentation https://documentation.onfido.com/sdk/web/#content-security-policy-issues
Hotjar CSP
If the disableThirdPartyAnalytics option is not set to true, then you also need to add policies for Hotjar, as specified in their documentation
https://help.hotjar.com/hc/en-us/articles/115011640307-Content-Security-Policies
Referrer Headers
For increased security, any website using the Smart UI should generate a token configured with referrer pattern and should send the referrer header.
For the Smart UI only, this is just a recommendation, but in case you wish to enable idScanVerification and use Onfido, they require referrer header to be available.
Updated 3 months ago