Whitelisting URLs: Content Security Policy (CSP) and Apty

Content Security Policy (CSP) is a W3C standard providing a layer of protection against Cross-Site Scripting (XSS), which is a known vulnerability of web applications that results in injection of malicious client-side scripts into web pages. CSP policy allows blocking/allowing content from specified domains and avoiding the content coming from unapproved origin.

CSP rules work at the page level, and apply to all components and libraries. 

This policy affects Apty operation and if Apty, as well as third-party resources used by Apty have not been listed as CSP trusted sites, Apty content is going to be blocked. This article covers the list of trusted sites that should be whitelisted for the uninterrupted Apty operation.

When you define a CSP Trusted Site, you can add the site’s URL to the list of allowed sites for the following directives in the HTTP response headers:

  • frame-src
  • img-src
  • style-src
  • font-src
  • media-src

By using suitable CSP directives in HTTP response headers, you can selectively specify which data sources should be permitted in your web application.

Sites that should be whitelisted for Apty operation:

1.   HTTPS://APP.APTY.IO   A link to the Apty Admin Portal (a server from which all the Apty data is retrieved by the Apty widget / studio / admin). For more details on which data is collected, refer to: Data Collection and Storage.

2.   HTTPS://SDK.SPLIT.IO   A third-party service enabling Feature Flagging.  This service does not collect or host any customer data. When the page of the hosting application is loaded, Apty retrieves its tenantID attribute from the widget to identify the client and load the list of predefined features from Split.io. 

HTTPS://EVENTS.SPLIT.IO  A sub-service of split.io that automatically captures whenever an impression occurs for a split feature flag. 

3.   HTTPS://API.SEGMENT.IO   A service for capturing data for analytics. It streams the data to Apty Analytics, stores collected data for few minutes. For more details on which data is collected, refer to: Data Collection and Storage.

HTTPS://CDN.SEGMENT.COM  A sub-service of Segment that retrieves JS used in the widget.

4.   HTTPS://FONTS.APP.APTY.IO   This site allows whitelisting a resource offering custom typography for Apty usage. No data is collected by this service.

HTTPS://FONTS.GOOGLEAPIS.COM A resource for loading custom fonts.
HTTPS://FONTS.GSTATIC.COM  A resource for loading custom fonts.
5.   HTTPS://CLIENT.APP.APTY.IOM  Proxi that determines which version of the javascript your organization is going to be using.

CSP Errors and Apty

If Apty has been added to the hosting application via the code snippet (as described in this article), but the widget is not loading on your website, this error may be caused by the CSP Policy. In order to check that, open Developer Tools > Console tab and reload the page. If you see any errors related to the Content Security Policy directive, refer to your tech team with a request to whitelist the websites mentioned in the error message:

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.