Content Security Policy (CSP)

Using the mPulse non-blocking loader snippet to include Boomerang on your site, via Akamai Edge injection or origin injection, requires merging the following CSP rules to your existing set of rules:

script-src https://*.go-mpulse.net; img-src https://*.akstat.io; connect-src https://*.akstat.io https://*.go-mpulse.net;

Explanation of individual rules:

  • script-src https://*.go-mpulse.net: The Boomerang JavaScript file will be downloaded from a host in the go-mpulse.net domain over HTTPS.

  • img-src https://*.akstat.io: Boomerang will send GET requests with beacon data to a host in the akstat.io domain using dynamically created IMG elements over HTTPS.

  • connect-src https://*.akstat.io: Boomerang will send POST requests with beacon data using XHR or the sendBeacon API to a host in the akstat.io domain over HTTPS.

  • connect-src https://*.go-mpulse.net: Boomerang will fetch it‚Äôs configuration from *.go-mpulse.net using XHR over HTTPS.

If the app is configured to track sessions across multiple domains then a frame-src CSP rule is required to whitelist the request to the cross domain HTML. Boomerang will request the page using an IFRAME.

frame-src [cross domain session host];