Content Security Policy (CSP) is a security standard designed to protect web applications from attacks like cross-site scripting (XSS), clickjacking, and other code injection threats. It works by restricting the sources that can load various types of content. By default, most browsers allow content to be loaded from any source, but CSP lets site owners enforce rules that only allow trusted sources.

Implementing CSP

The best way to implement your CSP is by configuring your web server to provide an HTTP response header called Content-Security-Policy. This header is sent by the server along with each HTML page and tells the browser which content sources are allowed. Because it is a header, the policy is not in the HTML of the web page, and it won't show up when you view the page source.

When using a shared web hosting provider for your site, you might not have access to server settings. Instead, your provider will usually offer another way to configure the CSP for your site, such as through an .htaccess file. This will vary by provider, and you should check with your hosting provider.

If no CSP is provided in your web server's HTTP response headers, you can add your policy into each page with a meta tag, such as <meta http-equiv="Content-Security-Policy" content="...add policy here..."> . Meta tags are not the preferred way to add your CSP policy. A meta tag cannot be used to override a header that defines the CSP for your site; if a header is sent by your web server, the meta tag will be ignored.

Updating Your CSP For Files.com Embedding

To run an embedded Share Link or embedded Inbox and enable all its features within your own site using CSP, you need to allow Files.com to load, execute scripts, and transfer data between its storage sources.

The easiest way to find this list of sources is to visit your Files.com login page and examine the Content-Security-Policy header sent by Files.com using the developer console in your web browser. Copy the sources listed for connect-src in that request.

Make Minimal Changes To Your Policy

If your CSP includes the frame-src directive or the child-src directive, update that directive to add all of the sources allowed by the FIles.com web interface in the connect-src portion its CSP. Copy the sources listed for connect-src in that request into the frame-src for your policy if you are using CSP Level 3, or into child-src if you are using CSP Level 2.

If you are not currently including either frame-src or child-src in your CSP, add the frame-src to your CSP, and allow all the sources from the Files.com connect-src listing.

If your policy already currently includes the script-src directive, add jssdk.files.com to the script-src. Do not add script-src if your policy does not already have a script-src.

If your policy has only the default-src directive, add jssdk.files.com to the default-src . Do not add this if you added jssdk.files.com to the script-src directive, or if there is no default-src directive.

Don't change any other directives or add any other new directives to your CSP.

Testing Your CSP Policy

When updating your site's CSP, your first concern should be to avoid breaking any of your existing website functionality.

You can test your updated CSP by changing its header to reporting mode, with the Content-Security-Policy-Report-Only header. In reporting mode, your site will not prevent actions that violate your CSP, but it will notify you when those violations occur. Once you've tested using your web page and made the necessary updates to the policy, you can change the header to Content-Security-Policy for enforcement.