Stay organized with collections
Save and categorize content based on your preferences.
Content Security Policy (CSP) is a means of securing
your web page by limiting what resources and scripts are allowed to load and
execute. You can enable CSP by setting a Content-Security-Policy header in
HTTP responses from your web server.
There are two standard ways to configure CSP:
Specify an allowlist of domains that can inject their resources on the page.
Specify a random nonce, with which resources on the page must be marked in
order to load. This approach is known as strict CSP.
Because the domains that Google Publisher Tag (GPT) uses change over
time, we only support strict CSP (option 2). This approach removes the need to
maintain a rolling list of domains that might become outdated and break your
site.
Setting up CSP with GPT
Enable CSP on your web server.
Follow the steps outlined in adopting strict CSP to
set up the CSP header and apply the nonce to every script tag on your page,
including gpt.js. GPT specifically supports the following
CSP directives:
You can choose a more permissive policy if it fits your use case. More
restrictive policies may break without notice.
Enable cross-domain rendering.
Ad iframes can load external resources that might not be permitted by the
CSP. Since same domain iframes inherit the top level window's CSP, and
GPT cannot control the creative’s contents, same-domain
creatives will generally not work properly with CSP headers.
We recommend that you test your policies first by setting the
Content-Security-Policy-Report-Only header instead of
Content-Security-Policy. The header reports violations but still allows
them on the page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-31 UTC."],[[["Content Security Policy (CSP) secures your webpage by controlling resource loading and execution, and Google Publisher Tag (GPT) supports strict CSP using nonces."],["Strict CSP requires setting a `Content-Security-Policy` header with a random nonce, applied to all script tags including GPT's `gpt.js`."],["Cross-domain rendering is necessary with CSP and GPT, enabled by calling `googletag.pubads().setForceSafeFrame(true)` before ad slots load."],["To avoid breaking your site, it's recommended to test your CSP policies first using the `Content-Security-Policy-Report-Only` header for monitoring violations."]]],["Content Security Policy (CSP) secures web pages by controlling allowed resources. For Google Publisher Tag (GPT), only strict CSP using nonces is supported due to dynamic domain usage. Implementation involves: 1) Enabling CSP on the server by adding a `Content-Security-Policy` header, applying nonces to all script tags, including `gpt.js`, and defining directives like `script-src` and 2) Enabling cross-domain rendering for all ads using `googletag.pubads().setForceSafeFrame(true)`. Testing should use the `Content-Security-Policy-Report-Only` header.\n"]]