Smart UI Security Recommendations

Content Security Policies

When embedding the Smart UI into your applications below are the CSP policies that need to be taken into account.

FrankieOne Content Security Policy

<meta http-equiv="Content-Security-Policy" content="
  default-src 'self' *;
  style-src 'self';
  font-src 'self';
  script-src 'self';
  report-uri * *;
  img-src 'self' data:;
  connect-src blob: * wss://*;
" />

Onfido Content Security Policy

When using the smart UI with the biometrics component turned on / configured you'll also need to take into account Onfido's Content security policies which can be found in their documentation

Referrer Headers

Any page that would have the smart UI should allow a referrer to be sent as it’s required for Onfido API requests.

Alternatively if you'd like to have the no-referrer header setting you could update your implementation when getting the token to pass in the referrer that we can use to pass the information to Onfido. Please see our documentation available here

Did this page help you?