Leaving Hostaway because of their booking fee?

Allow the ability to set the Content Security Policy headers in widgets

Status: Requested 1 Vote
Cole W
Sep 3, 2022 8:53 AM
Joined Sep, 2021 11 posts

Use Case:

I am embedding FullStory into my website to better understand my traffic. However, within FullStory session replay, all OwnerRez iframes appear blank, and I can't see how users interact with them. Looking at FullStory's documentation it is possible to capture traffic from within an iframe and have it communicate back to the iframe's parent. Furthermore, I would be able to, within my OwnerRez widget setup add the required script into the widget html with the Widget Loaded conversion tracking setup. However, in order to do that securely while avoiding XSS, the Content Security Policy headers must be configured with the Content Security Policy header of frame-ancestors as per this documentation. Unfortunately, that is disabled for use with the <meta> tag, for good reason. So, in order to configure embedded FullStory within the OwnerRez widget, I would need the ability to add my domain to the Content Security Policy header, which doesn't appear possible.

Feature Request:

Either automatically during widget setup, ask the user what domain it will be set up on and automatically add that to the frame-ancestor field with the Content Security Policy header, or add a configuration option to manually set this up.

Chris Hynes
Sep 12, 2022 5:53 PM
OR Team Member Joined Oct, 2012 1401 posts

Can you create an example of the widget where it's not working with the script and send it to the helpdesk so that we can have a look at that specific scenario?

Cole W
Sep 14, 2022 10:05 AM
Joined Sep, 2021 11 posts

After looking at this, I'm not positive this will be possible, at least with my current setup. My CMS unfortunately puts custom HTML into its own iframe and your widget also loads an iframe, meaning that I have two layers of iframes to traverse and I'm not positive how Fullstory's script works in that regard. 

Regardless, I did attempt this as is without setting that CSP header within my Booking/Inquiry Widget and it did not work, unfortunately. So it appears that an implementation as I suggested would need to be done.