Content Security Policy (CSP)
Using the mPulse non-blocking loader snippet to include Boomerang on your site, via Akamai Edge injection or origin injection, requires merging the following CSP rules to your existing set of rules:
script-src https://*.go-mpulse.net; img-src https://*.akstat.io; connect-src https://*.akstat.io https://*.go-mpulse.net;
Explanation of individual rules:
-
script-src https://*.go-mpulse.net
: The Boomerang JavaScript file will be downloaded from a host in the go-mpulse.net domain over HTTPS. -
img-src https://*.akstat.io
: Boomerang will send GET requests with beacon data to a host in the akstat.io domain using dynamically created IMG elements over HTTPS. -
connect-src https://*.akstat.io
: Boomerang will send POST requests with beacon data using XHR or the sendBeacon API to a host in the akstat.io domain over HTTPS. -
connect-src https://*.go-mpulse.net
: Boomerang will fetch it’s configuration from *.go-mpulse.net using XHR over HTTPS.
If the app is configured to track sessions across multiple domains then a frame-src CSP rule is required to allowlist the request to the cross domain HTML. Boomerang will request the page using an IFRAME.
frame-src [cross domain session host];
Updated 17 days ago