Re: Valid CSP rules

cameronmarlow
Level 1

Valid CSP rules

Hi there,

 

Does anyone have a comprehensive list of content security policy (CSP) rules for Munchkin tracking on a website? It's unclear from the documentation which hosts need to be included in order to make Munchkin work in production.

I have included munchkin.marketo.net in the script-src block but it appears that this makes callbacks to a number of other hosts and I can't find where these are listed.

 

Thanks!

5 REPLIES 5
SanfordWhiteman
Level 10 - Community Moderator

Re: Valid CSP rules

Do you actually mean P3P (not CSP)?

cameronmarlow
Level 1

Re: Valid CSP rules

Sorry for not being clear! It's Content Security Policy:

https://en.wikipedia.org/wiki/Content_Security_Policy

Which is a large industry standard to prevent cross-site scripting (XSS). It allows a host to restrict what other hosts can load scripts on that page. So for instance, if you want to load the munchkin script, you would need to add "munchkin.marketo.net" to your "script-src" block of your CSP. It appears that the Munchkin code makes lots of callbacks to other hosts and this doesn't seem to be documented anywhere.

SanfordWhiteman
Level 10 - Community Moderator

Re: Valid CSP rules

I know what CSP is very well. However, the CSP policy defaults to none if you don't set one, so it is not a requirement.

 

P3P directly pertains to the use of tracking data, which is also connected to Munchkin in operation.

 

Munchkin doesn't really make "lots of callbacks", it bootstraps and loads from munchkin.marketo.net and loads pixels from{{Munchkin ID}}.mktoresp.com.  

 

cameronmarlow
Level 1

Re: Valid CSP rules

The CSP policy is set by the web server, and ours is quite locked down due to security constraints. I need to add an exception for every host being accessed from our web pages.

 

I did see that {{Munchkin ID}}.mktoresp.com was being requested, but now also {{Munchkin ID}}.mktoutil.com, neither of which is documented in the official documentation.

 

Most Javascript APIs these days have a canonical set of CSP rules and I was simply looking for that set.

SanfordWhiteman
Level 10 - Community Moderator

Re: Valid CSP rules

Ah right, mktoutil.com is part of the latest attempt to deal with the sameSite cookie rules. (Which isn't completely successful.)