HTML Content Security Policy
Anthony avatar
Written by Anthony
Updated over a week ago

In order to provide the most secure service possible, Táve uses a Content-Security-Policy header. A CSP header protects websites from multiple attacks, making you and your clients safer. Unfortunately, it may also block some intentional behavior.

This document reviews the technical requirements your Táve content must adhere to.

Note: Our CSP header is currently being rolled out gradually. This document represents the final requirements once all pages have received the header.

Content Requirements

All URLs must be secure. The browser will automatically upgrade an insecure http:// URL into a secure https:// URL that supports encryption. If the linked-to item is hosted on a site that does not support encryption, it will fail to load. This is most likely to happen if you link to images or fonts on your own website. You don’t need to worry about URLs from CDNs or shared services like Google Fonts or TypeKit, as those services will always support encryption as browsers move to use encryption by default.

Only “inline” pages can be iframed. If you use an <iframe> on your website to embed your Táve contact form, questionnaires, or other pages, be sure to use the embeddable version. You can find your iframable URL by going to the Brands list in Settings and copying the “URL for Embedding.”

Style tags are allowed. While we may not render the style tag inside the application, they’re allowed in email and code editors. This includes both <style> and <link> tags as well as style=”” attributes.

Frames are limited and should be avoided. While we allow <iframe> elements that link to YouTube or Vimeo, this is no longer the preferred way to embed video and should be avoided. It is only supported because once upon a time it was the only way to embed YouTube videos. Embedding any other location with an <iframe> will be blocked by the browser.

Audio and Video must be secure. You can use <audio>, <video> or <track> elements to embed audio or video into your content. The only requirement is that the destination URL be secure (as described above). All legacy <object>, <embed>, and <applet> elements are prohibited.

Forms can only be submitted to Táve-hosted pages. If you add a form to a client facing page hosted by Táve and have it post to your website or any other non-Táve site, it will be blocked by the browser. Likewise, manually changing the <form> action to another website will cause any form submission to be blocked by the browser.

JavaScript event handlers are prohibited. Adding onclick, onload, onmouseover and other event handler attributes to HTML elements is forbidden. Included in this restriction is any attribute content that starts with javascript:, most commonly found in href attributes.

Except where specifically allowed, script tags are prohibited. You can’t add a <script> tag anywhere that isn’t specifically allowed below.

Customizing your client facing pages using the Brand Editor

The Brand Editor’s “Page HTML” fields are the only places in Táve that allows you to add <script> tags and have them be honored when displayed.

You can load external scripts such as WebFont loaders or analytics trackers in the Brand Editor’s Page HTML fields. Táve will automatically add nonce attributes to script or style tags added here, permitting them to load.

Customizing email HTML

Email clients are very strict about what HTML they allow messages to contain. Therefore the Brand Editor discussion above does not apply to the Brand Editor’s “Email Container HTML” field.

In addition, to improve security and deliverability, we preprocess outgoing email to:

  • Convert style tags and remote stylesheets into inline style attributes

  • Strip out script tags and HTML event handlers

  • Purify the HTML, removing restricted elements and attributes

Limitations of our Rich Text Editor’s Code View

While our Rich Text Editors often have an HTML code view, the code must adhere to the rules above. Most importantly, that means no <script> tags or onclick attributes and all URLs must support encryption. What prohibited content isn’t removed upon save, will be restricted by the browser when displayed.

Did this answer your question?