For plugins to work correctly you need to allow requests to certain domains (the full list of domains is available below). This can be done by changing the HTTP header which enables CSP. Depending on the solution that you use, this header can be located in different files. This instruction describes the basic principles, not the individual cases. The header should look like this:
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
This string contains directives which specify the allowed sources for different types of content: scripts, stylesheets, fonts, images, HTML5 <audio>
or <video>
elements etc.
The default-src
directive is applied when a directive for a certain resource type is not specified.
‘self’
means that the contents can be loaded from the the current domain only.
It’s necessary to edit the default-src
directive adding the trusted domains values:
default-src 'self' *.trusted1.com *.trusted2.com
This will allow to make requests to and load contents from the specified trusted domains *.trusted1.com
and *.trusted2.com
including their subdomains.