1. Help center

Content Security Policy (CSP) configuration

Last updated:

If you're implementing CSP in your application, here's what you need to know to make sure Iframely works as expected.

Recommended directives

script-src

You may restrict this to just Iframely's embed.js if you've disabled other JavaScript in your app settings. In this case, you should also disable Iframely import (web component) to prevent the script from bulk-inserting native widgets into the shadow DOM.

image-src

If you lazy-load players, add Iframely's CDN domain. Again, you would need to disable Iframely import to prevent the script from inlining images in the shadow DOM. Instead, images will be wrapped in a separate iframe context.

object-src

Set to none. Iframely does not output legacy HTML object elements.

frame-src

Iframely will always embed content in nested contexts from various third-party domains. Unless you only allow certain providers on your end, we recommend one of two approaches:

  • Omit this directive entirely. Be careful not to lead your policy with default-src: 'none', which would block everything not explicitly allowed.
  • Use a wide schema wildcard (e.g. https://*). If you choose this, turn on “SSL only” mode in your iframes settings for consistency.

Can frame-src be a specific list?

We recommend omitting frame-src directive on the pages with embeds altogether because there are over 1900 providers that our platform supports. We check and verify our publishers before allowing them on the platform.

This way, the iframe security comes from us. We review each provider periodically. If needed, we take the corrective measure and iframes of that publisher simply become unavailable on the network altogether. Essentially, the list of frame-src is maintained by us that way.

If you do need or prefer a list of specific domains instead of a wildcard, you can do so on your own. Please keep in mind:

  • Embed src domains are often different from the original URL domains and they may change on publisher's end without notice. Please verify your allowed publishers individually.
  • To avoid rich media from the sources not in your list, make API calls with &media=0 parameter for other publishers.