CSP Version

CSP Version (Content Security Policy)

What is CSP?

Content Security Policy (CSP) is a security mechanism implemented by browsers that allows you to control which resources (scripts, styles, images, fonts, connections, etc.) a web page can load and execute. It is configured by the server via the Content-Security-Policy HTTP header and acts as a defense layer against attacks such as Cross-Site Scripting (XSS) and data injection.

When a resource violates a CSP directive, the browser blocks the resource and logs the violation in the developer console.

Why does CSP affect the Fortface SDK?

The Fortface Web SDK is built as a Web Component that dynamically loads facial detection modules and security resources. This process involves operations that restrictive CSP policies may block:

Loading scripts from our own CDN
Inline style injection via the Web Component's Shadow DOM
Use of resources for the facial detection engine
Generation of images in data: URI for capture preview
Creation of Web Workers via blob: URL for document processing

Required CSP directives

To use sdk-web with CSP, you need to allow the following configurations:

directives: {
  defaultSrc: ["'self'"],
  scriptSrc: ["'self'", "https://cdn-loader.isface.live", "https://cdn.isface.live", "'unsafe-eval'", "'wasm-unsafe-eval'"],
  styleSrc: ["'self'", "https://cdn.isface.live", "'unsafe-inline'"],
  imgSrc: ["'self'", "data:"],
  connectSrc: ["'self'", "https://cdn.isface.live", "https://telemetry.isface.live/", "data:", "blob:"],
  fontSrc: ["'self'", "https://cdn.isface.live"],
  frameSrc: ["'none'"],
  frameAncestors: ["'none'"],
  workerSrc: ["'self'", "blob:"],
  childSrc: ["'none'"],
  objectSrc: ["'none'"],
  mediaSrc: ["'none'"],
  baseUri: ["'self'"],
  formAction: ["'self'"],
  manifestSrc: ["'self'"],
  upgradeInsecureRequests: [],
},

SDK features by directive

Feature	Directives used
Facial biometrics	`script-src`, `style-src`, `img-src`, `connect-src`, `font-src`
Document capture	`script-src`, `style-src`, `img-src`, `connect-src`, `font-src`
Document upload	`script-src`, `style-src`, `img-src`, `connect-src`, `font-src`, `worker-src` (+blob:), `connect-src` (+blob:)

Note: If the document upload feature is not used, the blob: values in worker-src and connect-src can be removed.

CSP Version (Content Security Policy)​

What is CSP?​

Why does CSP affect the Fortface SDK?​

Required CSP directives​

SDK features by directive​

CSP Version (Content Security Policy)

What is CSP?

Why does CSP affect the Fortface SDK?

Required CSP directives

SDK features by directive