CSP & External scripts/components

When you add a rule to CSP it is important to understand the potential implications.

It can quickly become a bit technical with many if's, depends' etc. But you should know what is within the scope of what a third party can potentially do.

When you add a 3rd party script/component and whitelist it in CSP-rules, know that the 3rd party/owner of the script can potentially:

  • Can see which users access your website including their IP adresess, which pages they visit etc.

  • Can read your and your customers passwords when they log in, and all other data they see and enter on your website.

  • Can inject code and objects into your website that manipulates/changes the layout and functionality of your website.

  • If the 3rd party gets hacked themselves, all of the above are, in turn, possible for the hackers. Your website is only as secure as the least secure of your 3rd party vendors.

Depending on the technical details of which type of component etc. is being included/whitelisted, where it is included etc. there might be limitations to how much the 3.party can do in practice, but it can be complex to deduce, so as a base-line assume the points above unless told otherwise by a trusted party.

A possible alternative to include externally hosted 3rd party components can be to self-host the components, i.e. on your own website. It might make sense in some scenarios and protects from some of the dangers of including externally components.

It is still recommended to vet the components and beware that if the component i.e. sends data to external API's or fetches other sub-components to work it might be a bit complex.

When including and whitelisting a component, it is recommended to have the following in place:

  • Make sure you know who is behind the service/component and trust them, with the above points in mind.

  • Make sure you are allowed, by the third party, to embedded the components into your website.

  • Have a Data Processor agreement in place describing what data about your customers they process, how and with which purposes in mind etc.

  • Get a list of cookies etc. they use and set in your customers browsers.

  • Include and describe the cookies and data usage of the component/3rd party in your Privacy Policy and also in your Cookie/Consent-banner system.

  • If the service they provide / data they collect etc. is not strictly necessary and depends on consent, make sure that the script/component is only shown if the user has given consent to the purpose in question.

Previous301 RedirectsNextVersions & updates

Last updated