Best practice often requires applying restrictive security when incorporating embeds into Websites. This is particularly important when working in enterprise environments with established security policies. In this doc, we discuss how to embed Airkit apps so that they comply with whatever security practices are in place.
When creating an Airkit Embed, it comes out of the box with two script tags: one that loads the embed, and a bare script tag that creates the client. The following example shows how they might appear:
<script src="https://client.airkit.com/18/air-client.js"></script> <script> Airkit.createClient(****) </script>
If copy and pasted into a Website directly, the latter tag can count as an unsafe inline script. To subject it to established security policies, the script tag will need to be placed inside a separate JS file that is referenced within the Website.
In order to incorporate this file, you must also modify your
Content-Security-Policy header to allow
https://client.airkit.com as well as the URL that hosts your app. This is done by:
- Adding the URL that hosts the Airkit app to the
Updated 14 days ago