Using the mPulse non-blocking loader snippet to include Boomerang on your site, via Akamai Edge injection or origin injection, requires merging the following CSP rules to your existing set of rules:
script-src https://*.go-mpulse.net; img-src https://*.akstat.io; connect-src https://*.akstat.io https://*.go-mpulse.net;
Explanation of individual rules:
img-src https://*.akstat.io: Boomerang will send GET requests with beacon data to a host in the akstat.io domain using dynamically created IMG elements over HTTPS.
connect-src https://*.akstat.io: Boomerang will send POST requests with beacon data using XHR or the sendBeacon API to a host in the akstat.io domain over HTTPS.
connect-src https://*.go-mpulse.net: Boomerang will fetch it’s configuration from *.go-mpulse.net using XHR over HTTPS.
If the app is configured to track sessions across multiple domains then a frame-src CSP rule is required to whitelist the request to the cross domain HTML. Boomerang will request the page using an IFRAME.
frame-src [cross domain session host];
Updated almost 2 years ago