VONQ
ChangelogVersion 4.8

CSP: document CloudFront hosts for widget asset chunks

CSP: document CloudFront hosts for widget asset chunks

The Content Security Policy (CSP) guidance in Setting Up and Integrating HAPI Elements now lists the specific VONQ-owned CloudFront distribution hostnames that serve the HAPI Elements widget's static asset chunks (Next.js hashed JavaScript and CSS).

Why

Inside the iframe at https://elements.hapi.vonq.com (production) and https://elements-sandbox.hapi.vonq.com (sandbox), the widget's hashed _next/static/... JavaScript and CSS chunks are served through dedicated CloudFront distributions for CDN caching:

  • Production: https://d1iuyjvfend72f.cloudfront.net
  • Sandbox: https://d1y42ohb1tm5oi.cloudfront.net

These were never explicitly listed in the documented CSP block, even though they have always been part of how the widget loads its UI in deployed environments. Some integrators run strict CSP setups — for example, enforcing CSP at a reverse proxy, a service worker, or another layer above the widget iframe — and those setups can refuse the asset chunks because the CloudFront hosts are not in the allow-list.

What to do

If you enforce CSP only on your own host page (the typical case — a Content-Security-Policy HTTP header or <meta> tag on the ATS page that embeds the widget), you do not need to change anything. The existing script-src against https://*.vonq.com already covers the loader (injector.js, loader.js) and SDK scripts that run on your page.

If you enforce CSP at a layer that also restricts the widget iframe's own script loads, add the two CloudFront hostnames above to your script-src directive. The recommended full CSP block is now:

frame-src 'self' https://*.vonq-aws.com https://*.vonq.com
connect-src 'self' https://*.vonq-aws.com https://*.vonq.com
script-src 'self' 'unsafe-inline' https://*.vonq-aws.com https://*.vonq.com https://d1iuyjvfend72f.cloudfront.net https://d1y42ohb1tm5oi.cloudfront.net

Notes

  • Each CloudFront distribution above is locked to the corresponding VONQ Elements origin and serves only the widget's own static assets. Listing the specific distribution hostnames is therefore no more permissive than allowing https://*.vonq.com, and is strictly more secure than allowing https://*.cloudfront.net (which would whitelist every other AWS CloudFront tenant).
  • The widget itself, its API calls, and its iframe src continue to load from https://*.vonq.com (sandbox / production) and https://*.vonq-aws.com (VONQ development/testing). The frame-src and connect-src lines are unchanged.
  • This is a documentation update only — there is no change to the widget's runtime behaviour, network calls, or load order.

Types package: Node ESM compatibility (1.64.0)

Previous Page

Date picker now displays DD/MM/YYYY for all users

Next Page

On this page

CSP: document CloudFront hosts for widget asset chunksWhyWhat to doNotes