Content Security Policies

Content Security Policies are delivered as a header to your contacts' browser by your web server and they are used to declare which dynamic resources are allowed to load on your page.

For many websites, you can simply declare that only scripts/styles from your own domain and from any tools that your are using are allowed. But, this can become more involved when you use more complex set ups.

If you are using a default CSP, then adding the following line to your default-src rules will be sufficient. The ellipses (...) in the examples is a placeholder for any existing rules you might have in place:

default-src ... *.bronto.com:* *.bron.to *brontops.com ajax.googleapis.com;

If you want stronger restrictions we recommend the following template:

img-src ... *.bronto.com *.bron.to;
style-src ... *.bronto.com cdn.materialdesignicons.com;
script-src ... *.bronto.com ajax.googleapis.com 'unsafe-eval';
connect-src ... *.bronto.com:* *.bronto.com:* *.brontops.com:*;

If your CSPs require more specific security allowances, these are the minimum security allowances that you need to add to your web server to allow Bronto to function properly on your site:

img-src ... http://your.PrivateDomain.com https://your.PrivateDomain.com http://app.bronto.com
http://app.bronto.com https://cdn.bronto.com http://app.bronto.com http://c.bron.to
https://c.bron.to http://maw.bronto.com https://maw.bronto.com;
style-src ... http://cdn.bronto.com https://cdn.bronto.com http://cdn.materialdesignicons.com
https://cdn.materialdesignicons.com;
script-src ... http://cdn.bronto.com https://cdn.bronto.com http://js.bronto.com
https://js.bronto.com http://rest.bronto.com https://rest.bronto.com http://c.bron.to https://
c.bron.to http://maw.bronto.com https://maw.bronto.com 'unsafe-eval';
connect-src ... *.bronto.com:* *.bronto.com:* *.brontops.com:*;