Website configuration requirements

content-security-policy and x-frame-origins

For our widget to work properly we require websites to adjust their website HTTP response headers. That can be usually done through help of internal IT team or proxy services like Cloudflare.

Examples of working configuration

A relaxed configuration that is sufficiently secure is the following:

content-security-policy: frame-ancestors 'self'

x-frame-origins: SAMEORIGIN

A more strict security policy that still allows Contester technology to work is the following:

content-security-policy: frame-ancestors https://*.contester.net

x-frame-origins: SAMEORIGIN

Mind that your website may contain more advanced variants of the above configuration properties. You may need to adapt your existing properties rather than replacing them with the ones specified above.

In all cases the best course of action is to consult with your IT engineers on the best way to resolve this.

Cloudflare

Cloudflare has a feature called Transform Rules among which there is an ability to override response headers.

Documentation can be found here.

Feature can be used to override default Shopify HTTP response headers and replace them with less-strict alternatives.

Other CDNs

Approach us with details about your CDN vendor and we can try solve this.

content-security-policy and x-frame-origins​

Examples of working configuration​

A relaxed configuration that is sufficiently secure is the following:​

A more strict security policy that still allows Contester technology to work is the following:​

Cloudflare​