On the web, it is common for servers to add CORS (Cross-Origin Resource Sharing) headers to responses they serve to the browser. These headers serve a security measure to restrict what the web page can actually load (since the browser respect the headers directives and will not load assets not specified explicitly). Web pages don’t usually want a script or some other asset being loaded from anywhere but only from a whitelist of allowed domains.
One of these headers is the Content-Security-Policy header.
for the purpose of embedding videos in websites, users add a directive to the header their server serves. More specifically:
- iframe option – If you are embedding a video using our player, your should set
Content-Security-Policy: frame-src 'self' videodelivery.net *.cloudflarestream.comCSP header directive which allows iframes to be loaded from the specified domains. - embed option – The same config as above will work.
- direct link option + custom player – you need to add
Content-Security-Policy: media-src 'self' videodelivery.net *.cloudflarestream.com; img-src 'self' *.videodelivery.net *.cloudflarestream.com; connect-src 'self' *.videodelivery.net *.cloudflarestream.comCSP header directive which allows media files to be loaded from specified domains.
Web apps which don’t enforce CORS headers (low security) don’t need these directives configured at all.
