Violates Content Security Privacy

Samantha Roseman

I am trying to add an add-in to a form that can see the gift-type-change, and I get this error on the console.

Refused to frame 'https://d1o1p.cloudfront.net/' because it violates the following Content Security Policy directive: "frame-src *.blackbaud.com api-pte-bsp.sharedservices-dev.com dntcl.qualaroo.com doublethedonation.com doublethedonation.ngrok.io uk.smartthing.org www.google.com/recaptcha/ donatestock.com bloom-form-gen.web.app giveamply.com app.lifelegacy.io pllenty.com hope.fndrsng.com www.ucbcanada.com".

The cloudfront url it mentions is where I'm hosting my add-in. Surely that's not actually the issue. Any advice?

Samantha Roseman

@Samantha Roseman
to clarify, this is for a form. It seems to load well when I'm in the builder, but when I'm actually on a donation form, I get this error.

Dan Snyder

@Samantha Roseman Not sure I will be of much help, but maybe @Glen Hutson or @Ashley Moose can help?

Thomas Royal

@Dan Snyder @Glen Hutson or @Ashley Moose

I am having the same issue. I believe the CSP for the donation form needs to either be disabled for the preview, or else there needs to be a way to specify the domain for the add-in. This might have to be done on Blackbaud's side, unless there is some documentation I'm missing.

Ashley Moose

@Thomas Royal and @Samantha Roseman This is outside of my level of add-in development but if you believe there is a change required on Blackbaud's end, please file a case with Support so this can get routed to the appropriate teams.

Thomas Royal

@Ashley Moose

Thank you! As a follow-up: do you know if this CSP is in effect on live forms, or is this something I need to also ask support?

Thomas Royal

I tried embedding the published form from the cohort account and still had the same issue with CSP.

Ashley Moose

@Thomas Royal I am not familiar with CSP settings at all. Sorry!

Samantha McGuin

To get your domain added for your donation form Sky Add-In, please create a case with Support. These have to be manually added by our development team. We're evaluating a better flow for this but for now - contact Support with the domain and we'll get this taken care of for you.

Thomas Royal

@Samantha McGuin

Got it! Thanks y'all for your help! ?

Samantha Roseman

@Samantha Roseman Indeed I confirmed that you need to reach out to support to get your domain added to the CSP. Now I see that the events in the documentation arent actually being fired in the form. One step at a time I guess. haha. One day this will work

Jack Adee

@Samantha McGuin
Is there a recommended way for getting around this while developing locally?

Samantha McGuin

@Jack Adee Unfortunately none that we are aware of. Our security team requires the domains be validated to meet our security requirements with CSP.

Jack Adee

@Samantha McGuin
Ok. Where should I send the link for approval because I do not have access to the support page?

Samantha McGuin

@Jack Adee Just email your domain to me at samantha.mcguin@blackbaud.com and I'll get it taken care of.