Valid CSP rules | Community
Skip to main content
cameronmarlow
cameronmarlow
Level 2
March 9, 2020
Question

Valid CSP rules

  • March 9, 2020
  • 1 reply
  • 5065 views

Hi there,

 

Does anyone have a comprehensive list of content security policy (CSP) rules for Munchkin tracking on a website? It's unclear from the documentation which hosts need to be included in order to make Munchkin work in production.

I have included munchkin.marketo.net in the script-src block but it appears that this makes callbacks to a number of other hosts and I can't find where these are listed.

 

Thanks!

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

SanfordWhiteman
SanfordWhiteman
Level 10
March 9, 2020

Do you actually mean P3P (not CSP)?

cameronmarlow
cameronmarlowAuthor
Level 2
March 9, 2020

Sorry for not being clear! It's Content Security Policy:

https://en.wikipedia.org/wiki/Content_Security_Policy

Which is a large industry standard to prevent cross-site scripting (XSS). It allows a host to restrict what other hosts can load scripts on that page. So for instance, if you want to load the munchkin script, you would need to add "munchkin.marketo.net" to your "script-src" block of your CSP. It appears that the Munchkin code makes lots of callbacks to other hosts and this doesn't seem to be documented anywhere.

SanfordWhiteman
SanfordWhiteman
Level 10
March 9, 2020

I know what CSP is very well. However, the CSP policy defaults to none if you don't set one, so it is not a requirement.

 

P3P directly pertains to the use of tracking data, which is also connected to Munchkin in operation.

 

Munchkin doesn't really make "lots of callbacks", it bootstraps and loads from munchkin.marketo.net and loads pixels from{{Munchkin ID}}.mktoresp.com.  

 

Terms & ConditionsAccessibility statement

Loading footer...