Skip to main content
Documentation & User Guides | FotoWare

CSP, CORS and User Interface Integrations

Cross site scripting protection mechanisms in browsers are made to protect users against malicious code when embedding content and scripts from external sources (as in external domain names). As most integrations will be hosted on a separate domain, such mechanisms often take effect.

Important: We do not recommend installing browser plugins to overcome these restrictions.

CSP in FotoWare

CSP (Content Security Policy) is a security mechanism to control sources from which external content can be loaded into an HTML page. Typically, it should be configured such that content can only be loaded from specific trusted sources, ideally only from the same domain as the page.

When registering a user interface integration with FotoWare, the domain part of the url to the integration is automatically added to FotoWare's CSP rules. 
Note that the integration might not work if it redirects to pages hosted on other domains.

User Interface Integrations - CSP rule.png

CSP in Integration: This is normally not relevant for bespoke integrations. If you are building bespoke integrations, you must ensure the FotoWare domain is whitelisted as CSP. However most web apps have all domains whitelisted by default. If using third party services (such as Google Maps), they may have blocked unknown domains by default. If so, viable options include looking into whitelisting options with the provider or building middleware that can overcome such restrictions.

CORS in FotoWare

FotoWare does currently not append CORS (Cross origin resource sharing) headers. This means that any API calls from the integrations must be performed from the server side and not the client side in the integration.