Released Documentation
HomeSupport
  • Getting started
    • Overview
    • Concepts
    • Setup Guide
      • Installing Released
      • Embedding the Widget
      • Embedding the Page
      • Implementing User Verification
      • Changelog Description Field (optional)
  • Permissions
  • Global Settings
    • General
    • Design
    • Internal Domains
    • User Verification
  • Workspace
    • Overview
    • Dashboard
    • Changelog
      • AI Settings
      • Changelog filter
      • Creating and Managing Posts
      • Writing a Post
      • Publishing Updates
      • Templates
      • Editor
        • Images
        • Videos
        • Emojis
        • Keyboard Shortcuts
        • Categories
        • Versions
      • Filter
    • Roadmaps
    • Settings
      • General
      • Access
      • Portal
        • Page Embed
        • Widget Embed
      • Publishing
        • Confluence
        • Email
        • Jira issue links
    • Integrations
      • Framer
      • Webflow
      • Slack
      • Aura
      • Cosmos
      • Karma
      • Scroll Viewport for Confluence
  • Resources
    • AI Tips
      • Create Output in Other Languages
      • Include a Documentation Link in the Output
      • Creating Structured Output
    • Troubleshooting
      • Permissions Issues
    • How-Tos
      • Accessing Custom Fields
      • Configuring Dark Mode
      • Finding the Channel ID
      • Ensuring JavaScript Resource Stability for PCI Compliance
      • How to Open the developer console to check for errors
      • How to Apply Atlassian Marketplace App Promo Codes for Cloud
      • Configuring Content Security Policies (CSP) for Released Embeds
Powered by GitBook
On this page
  • Overview
  • CSP Configuration
  • Strictest CSP Policy
  • Recommended CSP Policy
  • Additional Media Domains
  • Final Recommendations

Was this helpful?

  1. Resources
  2. How-Tos

Configuring Content Security Policies (CSP) for Released Embeds

To embed Released into your app while maintaining a secure Content Security Policy (CSP), you may need to adjust your existing policy to allow certain domains used by Released.

PreviousHow to Apply Atlassian Marketplace App Promo Codes for Cloud

Last updated 7 months ago

Was this helpful?

Overview

A (Content Security Policy) is a security feature implemented by websites to prevent a wide range of attacks, such as cross-site scripting (XSS) and data injection attacks. It acts as a whitelist that controls what types of resources (scripts, styles, images, etc.) a browser is allowed to load and execute on a webpage.

CSP works by letting the site owner specify a set of rules through HTTP headers or meta tags that define which domains or sources are trusted. For example, a CSP policy might allow images to be loaded only from specific domains, or it might block inline scripts unless they are explicitly allowed.

By restricting which external resources can be loaded, CSP helps to mitigate vulnerabilities that hackers could exploit by injecting malicious code into a website.

When embedding Released into your website or app, you may have to add to add Released specific domains to your CSP policy.

CSP Configuration

Strictest CSP Policy

At a minimum, the following CSP should work for most users embedding Released:

Copy the following URLs

Content-Security-Policy: 
  connect-src https://api.released.so https://events.released.so; 
  script-src https://embed.released.so; 
  style-src 'unsafe-inline' https://cdn.released.so https://embed.released.so; 
  img-src https://cdn.released.so https://dwamxgqy3aotj.cloudfront.net; 
  font-src https://embed.released.so

Please note that these policies cannot be copied as-is and instead must be merged with your existing policy, otherwise your own assets will be blocked by this policy.

Recommended CSP Policy

To simplify updates and future-proof your policy against changes we make, we recommend using the source https://*.released.so to allow any subdomain of released.so as a source:

Copy

Content-Security-Policy: 
  connect-src https://*.released.so; 
  script-src https://*.released.so; 
  style-src 'unsafe-inline' https://*.released.so; 
  img-src https://*.released.so https://dwamxgqy3aotj.cloudfront.net; 
  font-src https://*.released.so

This policy covers all potential subdomains of Released, making it easier to accommodate updates or changes in our infrastructure without further adjustments.

Additional Media Domains

If you are embedding video files or media content into your release notes and roadmaps and your CSP policy already includes a media-src or default-src directive, you will need to extend your media-src directive to include the locations of those images and videos.

Final Recommendations

For maximum flexibility and security, adopting the wildcard strategy (*.released.so) in your CSP will help avoid issues as Released evolves. If you encounter specific errors, for further assistance.

CSP
contact our support team