Skip to main content
Documentation & User Guides | FotoWare

CSP, CORS, and User Interface integrations

Cross site scripting protection mechanisms in browsers are made to protect users against malicious code when embedding content and scripts from external sources (as in external domain names). As most integrations will be hosted on a separate domain, such mechanisms often take effect.

Note: We do not recommend installing browser plugins to overcome these restrictions.

CSP in FotoWare

CSP (Content Security Policy) is a security mechanism to control sources from which external content can be loaded into an HTML page. Typically, it should be configured so that content can only be loaded from specific trusted sources, ideally only from the same domain as the page.

If a third-party website used in a UII redirects to a different domain, then the destination domain may be blocked by CSP. As a remedy, use the final URL in the UII configuration, so it is allowed by CSP.

Integrators should not assume that CSP is active on a user's browser and rely on CSP alone for security of UIIs. Always construct URL patterns for UIIs carefully to secure the integration against possibly XSS attacks via metadata values.

When registering a user interface integration with FotoWare, the domain part of the URL to the integration is automatically added to FotoWare's CSP rules. 
The integration might not work if it redirects to pages hosted on other domains.

User Interface Integrations - CSP rule.png

CSP in Integration: This is normally not relevant for bespoke integrations. If you are building bespoke integrations, you must ensure the FotoWare domain is included in the allowlist as CSP. However, most web apps have all domains on their allowlist by default. If you are using third-party services (such as Google Maps), they may have blocked unknown domains by default. If so, viable options include looking into allowlist options with the provider or building middleware that can overcome such restrictions.

Note: CSP rules in FotoWeb have a long cache time meaning that newly registered UIIs may not work for some time. Deleting the browser caches does not help in this instance.

CORS in FotoWare

FotoWare does currently not append CORS (Cross-origin Resource Sharing) headers. This means that any API calls from the integrations must be performed from the server side and not the client side in the integration.