Domain Policy
Arkose Labs uses the following domains:
Domain | Context |
---|---|
<company>-api.arkoselabs.com | Client |
cdn.arkoselabs.com | Client |
<company>-verify.arkoselabs.com | Server |
status.arkoselabs.com | Client/Server (if using failover logic) |
Content Security Policy (CSP)
The Arkose Labs client integration needs specific policies enabled in order work correctly.
If you are defining CSPs in your site, please refer to this page.
CSP Domains
Arkose Labs supports a number of domains depending on the integration of choice.
When defining CSP resources we generally recommend using a wildcard domain. The wildcard will work with most integrations and also give you the most flexibility in case you decide to change your company name or add more integrations to a page.
*.arkoselabs.com
If you do not wish to use wildcards, you can simply specify the URL you load the Arkose script from.
client-api.arkoselabs.com
or
<company>-api.arkoselabs.com
If you are using Vanity URLs, you’ll need to specify your vanity URL instead.
your-url.com
Main Policies
If any of these policies are currently defined in your page, they will need to include the correct resources.
Directive | Explanation | Resources |
---|---|---|
frame-src | The Arkose Labs challenge and modal are rendered in an iFrame in order to isolate CSS and avoid unwanted interactions with your page.frame-src needs to be defined in order to load this iFrame. | {arkose domain} |
connect-src | The Arkose Labs integration makes HTTPS requests in order to set up the customer session and load client configuration.connect-src must be defined, otherwise these requests will be blocked and the integration will not work. | {arkose domain} |
script-src | In order for api.js and subsequent JS files to load, we need to allow the Arkose domains from script-src. | {arkose domain} |
style-src | The Arkose challenge loads some inline CSS. We have two options to allow this CSS to load: -define style-src with nonce*-define style-src with unsafe-inline (not recommended) | nonce or unsafe-inline |
*See “Using nonce for style-src
”
default-src
The default-src
directive will be the fallback in case any directive is not defined. If default-src
is defined, and any of the main directives above are not defined, they will need to include the necessary resources in default-src
.
For example, if default-src
is defined but style-src
isn’t, we need to include a nonce or unsafe-inline
in default-src
.
If default-src
is defined but script-src
isn’t, we need to include {arkose domain}
in default-src
.
Using nonce for style-src
style-src
The Arkose integration has nonce support for it’s style-src
directive. This allows you to avoid using unsafe-inline
in your CSP policy.
In order to use a nonce in your policy, follow these steps:
- Generate nonce, for example
aabbcc
- When creating the
<script>
element for the Arkose integration, include adata-nonce
attribute with valueaabbcc
<script src='...api.js' data-callback="setupEnforcement" data-nonce="aabbcc" defer async ></script>
- Include the nonce in your CSP policies
style-src 'self' 'nonce-aabbcc';
Sub Policies
The following policies are sub directives. If they are defined in your page, they also need to include the correct directive resources. Otherwise, they will inherit the policies from script-src
and style-src
respectively and will not need to be defined.
Directive | Explanation | Resources |
---|---|---|
script-src-elem | Part of the Arkose Labs challenge is loaded by <script> elements. This directive defines what domains can be loaded via these elements.If this directive is specified, the arkose domain needs to be included. | {arkose domain} |
style-src-elem | The Arkose Labs integration loads some <style> elements.If you specify this directive, either a nonce or 'unsafe-inline ' needs to be included. | nonce or 'unsafe-inline' |
style-src-attr | The Arkose Labs integration loads some inline styles in the page. This directive allows inline styles to be loaded by our domain. If you specify this directive, either a nonce or 'unsafe-inline' needs to be included. | nonce or 'unsafe-inline' |
As an example. If style-src-elem
is not defined, the browser will first look for the style-src
policy. If that doesn’t exist, it will look at default-src
.
CSP Examples
Basic Example
'Content-Security-Policy':
`connect-src 'self' *.arkoselabs.com; `
`frame-src 'self' *.arkoselabs.com;`
`script-src 'self' *.arkoselabs.com;`
`style-src 'self' 'nonce-aaabbcc';`
Script created with attribute data-nonce="aabbcc"
.
With sub-policies defined
'Content-Security-Policy':
`connect-src 'self' *.arkoselabs.com;`
`frame-src 'self' *.arkoselabs.com;`
`script-src 'self' *.arkoselabs.com;`
`script-src-elem 'self' *.arkoselabs.com;`
`style-src 'self' 'nonce-aaabbcc';`
`style-src-elem 'self' 'nonce-aaabbcc';`
`style-src-attr 'self' 'nonce-aaabbcc';`
With default-src defined
'Content-Security-Policy':
`connect-src 'self' *.arkoselabs.com;`
`frame-src 'self' *.arkoselabs.com;`
`script-src 'self' *.arkoselabs.com;`
`default-src 'self' 'nonce-aaabbcc';`
In this example, style-src
is omitted and default-src
is included. This means that default-src
needs to have the resources necessary for style-src
to work ('nonce-aaabbcc'
).
With other CSP policies defined
'Content-Security-Policy':
`object-src 'self'`
In this example, we don’t define any directives required by Arkose, so we don’t need to specify anything for Arkose Labs.
Update Policy
If Arkose Labs intends to add additional domains, customers will be informed at least 60 days in advance.
Updated about 2 months ago