Content Security Policies
Transcend Consent Management can optionally generate a Content Security Policy for your site. We construct this policy using current user consent data in combination with your configured data flows.
Content Security Policy (CSP) is a browser feature which can add a layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
CSP can be activated by setting your Unknown Request Policy to Block in the Consent Management Developer Settings page of your Admin Dashboard.
Your CSP mode can be configured via the airgap.js CSP API. Note that your Unknown Request Policy must be set to Block in order to use a CSP.
Lax mode prevents your visitors from establishing connections to websites that have not been confirmed in your Data Flows. This mode allows for user consent to change without a page refresh.
Strict mode prevents your visitors from establishing connections to websites (and their subdomains) that are not allowed based on user tracking consent. This mode requires a page refresh whenever user tracking consent changes.
No CSP generation. Transcend Consent Management will still provide protection against most network-based tracking. See our Regulation Roadmap for a list of network interfaces that we do not yet directly regulate without CSP.
Our consent manager connects to the following origins by default. Make sure to add these domains to your existing CSP to ensure that our consent manager can function properly:
https://transcend-cdn.com— CDN for consent manager resourceshttps:/cdn.transcend.io— Legacy CDN for consent manager resources. To find out which CDN you're using, please refer to the HTML Snippet that can be found under Developer Settings > Installation.https://telemetry.transcend.io— Encountered host telemetry ingestion endpoint (required; setdata-telemetry="usage"to reduce telemetry to just usage data essential for billing)