What is CSP?
WildApricot has implemented Content Security Policy (CSP), a security standard that protects against certain types of cybersecurity attacks, including Cross-Site Scripting (XSS) and data injection attacks.
CSP works by detecting calls to external URLs and comparing those calls against a whitelist of verified and approved sites. Calls to sites not on the whitelist are blocked.
WildApricot applies CSP standards only to JavaScript, as it can contain malicious code. All other content types, such as images and CSS, are not affected by WildApricot's implementation of CSP.
It's important to add any external domains that your website uses to your custom JavaScript whitelist to ensure your website complies with WildApricot's CSP rules. Calls to domains not on the whitelist are blocked.
If you are interested in learning more about CSP, you can view Mozilla's article on the topic.
Viewing your whitelist
To view the JavaScript whitelist for your website, follow these steps:
1. From the admin Dashboard, select Website and then select Settings. The Settings tab is located at the top right corner of your screen.
2. On the Settings screen, under Website security, select JavaScript whitelist.
The JavaScript whitelist screen consists of two sections:
- Default whitelisted domains - a list of trusted domains already verified by WildApricot
- Custom whitelisted domains - a list of domains that you have added to your whitelist
If you use any JavaScript hosted on third-party domains, you must add those URLs to your custom whitelist. Other resources, such as images or CSS, are not affected.
Adding a domain to your whitelist
Important note: Any domain added to your custom whitelist must be in one of the formats shown below or it will not be validated.
Valid domain formats:
To add a domain to your custom JavaScript whitelist, follow these steps:
1. From the admin Dashboard, select Website and then select Settings. The Settings tab is located at the top right corner of your screen.
2. On the Settings screen, under Website security, select JavaScript whitelist.
3. In the section called Custom whitelisted domains, enter the domain name and click Add domain.
Removing a domain from your whitelist
To remove a domain from your custom whitelist, click the X to the right of the domain within the list.
