In this article, we will cover:
- Securing Your Tint Embeds: Whitelisting and CSP Best Practices
- What is Whitelisting?
- What is CSP?
- Other potential connected whitelist options that are used by TINT
What is Whitelisting?
Whitelisting allows access to only pre-approved entities—such as IP addresses, domains, or users—preventing unauthorized interactions. For *.tintup.com
, this means ensuring only trusted resources or users can interact with the embed or backend services.
How to Implement Whitelisting for the Embed Script or URLs:
Restrict the embed script to trusted domains, ensuring it can only be loaded where authorized. TINT's embed scripts are typically served from the following URLs:
-
-
https://app.tintup.com/dist/embedded.js
- Legacy URLs:
https://www.tintup.com/app/dist/embedded.js
https://cdn.hypemarks.com/pages/a5b5e5.js
https://cdn.hypemarks.com/dist/embedded.js
-
How It’s Done: Ask your web team to configure your server or CDN (where the script is stored) to allow it to work only on trusted websites and services.
Example: Only allow scripts to load from *.tintup.com
if your embed is https://app.tintup.com/dist/embedded.js
or https://www.tintup.com/app/dist/embedded.js
Ifhttps://cdn.hypemarks.com/pages/a5b5e5.js
or https://cdn.hypemarks.com/dist/embedded.js
is the embed script, only allows scripts to load from https://*.hypemarks.com;
As the Hypemarks script is no longer actively used, we suggested that you make sure that you whitelist both https://*.hypemarks.com;
and *.tintup.com
to future-proof your web embeds.
What is CSP?
Content Security Policy (CSP) is a browser-level security mechanism that controls which resources (scripts, styles, images, etc.) can be loaded on a web page. It prevents malicious code execution and resource injection attacks.
You can use a CSP header to specify where scripts are allowed to load from.
How It’s Done: Ask your web team to add the following Content Security Policy header to your website’s configuration.
Example: Only allow scripts to load from *.tintup.com
if your embed is https://app.tintup.com/dist/embedded.js
or https://www.tintup.com/app/dist/embedded.js
Ifhttps://cdn.hypemarks.com/pages/a5b5e5.js
or https://cdn.hypemarks.com/dist/embedded.js
is the embed script, only allows scripts to load from https://*.hypemarks.com;
How to Implement CSP for Tint Embeds (New Version):
Add a CSP header to your website’s HTTP responses. For example:
-
script-src
: Allows JavaScript to be loaded only from your own domain - (
'self'
) andhttps://*.tintup.com
-
frame-src
: Ensures onlyhttps://*.tintup.com
can be embedded in frames (e.g., for the embed widget) -
connect-src
: Allows data fetching or API calls tohttps://*.tintup.com
andhttps://*.amazonaws.com
for TINT's analytics
How to Implement CSP for Tint Embeds (Old Version):
As the Hypemarks script is no longer actively used, we suggested that you make sure that you whitelist both https://*.hypemarks.com;
and *.tintup.com
to future-proof your web embeds.
Other potential connected whitelist options that are used by TINT:
-
Instagram
https://*.instagram.com
https://*.cdninstagram.com
-
X / Twitter
https://api.twitter.com
https://twitter.com
https://pbs.twimg.com
https://*.x.com
-
Facebook
https://*.facebook.com
https://scontent.xx.fbcdn.net
https://www.facebook.net
-
TikTok
https://*.tiktok.com
https://sf16-ies-music-va.tiktok.com
https://www.tiktokcdn.com
-
Pinterest
https://www.pinterest.com
https://www.pinterest.com/api/
https://pinimg.com
If you have any questions regarding whitelist and CSP, don't hesitate to contact Technical Support at support@tintup.com.
Comments
Please sign in to leave a comment.