Content Security Policy Recommendations for WTB

What is a CSP?

CSP stands for Content Security Policy. CSP is a website security layer that tells a browser whether it can load data from a domain that doesn't match the website's domain. For example, suppose your current domain is, and you are trying to load data from a PriceSpider API with the domain In this case, the CSP will tell your browser/user agent whether resources from should be loaded or not.

Many websites have strict CSPs that tell browsers to block loading their resources from different domains as a security measure, to keep out unknown/unapproved entities and data. In order to properly integrate PriceSpider functionality into your website while maintaining this security, you'll need to ensure you're allowing data to load from PriceSpider's domains via your CSP.

PriceSpider recommendations:

Ideally, all sub-domains of a domain would be allowed through wildcards. This will prevent having to manually specify every subdomain that needs to talk to PriceSpider-related services, and keeps things much cleaner. Moreover, if any of the sub-domains change or if new services are introduced with new sub-domain name(s), no action is necessary to accommodate this in the CSP post-implementation.

1) Allow all services that end with and - RECOMMENDED!

<meta http-equiv="Content-Security-Policy" 
content="default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: wss: 

2) Allow specific domains in
default-src - NOT RECOMMENDED

<meta http-equiv="Content-Security-Policy" 
content="default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: wss: 

3) Allow specific domains via respective fetch directives - NOT RECOMMENDED

<meta http-equiv="Content-Security-Policy" name="Content-Security-Policy" content="default-src 'self';
        script-src  'self' 
        img-src     'self' 
                    blob: ;
                    wss: ;
                    https://* ;
        worker-src blob: ;
        child-src blob: ;


  • If a WTB is configured to include a local section, it will ask to load a map and other features critical to the local shopping experience. To display a map, WTB needs to load all the scripts, stylesheets, images/tiles and other resources from the map service provider. PriceSpider has Mapbox, Google and Leaflet-based map services, and a WTB can use any one of them (Mapbox is the default). To load the map, we need to allow scripts, images and resources from their respective domains. The CSP policy to load a map from Mapbox is here:

  • WTB also loads some scripts from the content delivery network.

Consequences of choosing specific domains instead of *

If you must allow specific domains instead of allowing all domains with wildcards, you may need to update your CSP policy in the future if there is a domain name change on PriceSpider's side or if new services are introduced. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request