Embedding external JavaScript into the application
- Felix Bauer
- Kyna Finch
- Dennis Hezel
To connect certain 3rd party tools, a custom JavaScript must be executed in the browsers of the visitors of the 3YOURMIND application.
Examples are:
Google Analytics or other tracking tools
A cookie banner
A support widget
A chatbot
Steps
Two steps are necessary to embed an external JavaScript into the application:
Add external domains to the CSP Header
3YOURMIND has a Content Security Policy in place that protects against certain forms of cybersecurity attacks. Its default settings disallow loading content from any domain that is not part of the policy.
If you skip this step then you will see the following error in the browser's JavaScript console:
Refused to load the script '[domain]' because it
violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' 'unsafe-eval' google.com *.amazonaws.com
*.gstatic.com *.stripe.com *.stripe.network pagecdn.io".
Note that 'script-src-elem' was not explicitly set, so 'script-src'
is used as a fallback.To add a domain to the list of allowed domains, you must add the following content to the values.yaml configuration file. For SaaS installations this can only be done by our Technical Support Team:
serviceConfig:
revproxy:
extraCspSources: "[List of domains, seperated by whitespace]"Google Analytics
Due to different versions of Google Analytics (+ combinations with the Tag Manager), it is complicated to add the right domains - expect some trial & error.
Review this resource:
https://developers.google.com/tag-platform/tag-manager/web/csp
Here is a working example of a Google Tag Manager setting:
extraCspSources: "'unsafe-inline' https://www.googletagmanager.com"If Google Analytics 4 is used, use the following domains”
Add the script to the admin panel
Go to the admin panel (by adding
/adminto the domain).There, go to: Organizations > Your Organization
Add the script wrapped in a
<script>tag into the Extra Script boxClick on Save
Example:
