Placing ads on sites with CSP
If you want ads displayed on your site, embed the ad unit code inside the HTML code of your site pages. Sites that support the Content Security Policy will only execute this embed code under special circumstances. In particular, the browser needs to receive permission to process data in the HTTP header, which includes the permission to display ads, load images, and use styles.
Add the following code to the HTTP header:
Content-Security-Policy:
default-src 'none';
connect-src 'self' blob: yastatic.net *.adfox.ru *.yandex.ru yandex.ru yandex.com;
frame-src yandexadexchange.net *.yandexadexchange.net yastatic.net *.yandex.ru *.adfox.ru;
img-src 'self' *.yandex.net *.adfox.ru *.yandex.ru yandex.ru yandex.com data:;
media-src yastatic.net *.yandex.net *.yandex.ru *.adfox.ru yandex.ru yandex.com blob: data:;
script-src 'unsafe-inline' 'unsafe-eval' yastatic.net *.yandex.ru *.adfox.ru yandex.ru yandex.com verify.yandex.ru*;
style-src 'unsafe-inline' 'unsafe-eval' yastatic.net *.adfox.ru;
font-src 'self' yastatic.net data:;For img-src, we recommend adding an array of *.yandex.ru subdomains. This will let you keep your settings unchanged in the future.
The HTTP header directives script-src and style-src should receive the nonce attribute. This attribute must contain a string value in the form of a random sequence of Latin characters and numbers. This value must be randomly generated on the server, independently for each request.
Content-Security-Policy: script-src 'nonce-<sequence of characters>'; style-src 'nonce-<sequence of characters>'Add the following code to the HTTP header:
Content-Security-Policy: default-src 'none'; connect-src 'self' blob: yastatic.net *.adfox.ru *.yandex.ru yandex.ru yandex.com; frame-src yandexadexchange.net *.yandexadexchange.net yastatic.net *.yandex.ru *.adfox.ru; img-src 'self' *.yandex.net *.adfox.ru *.yandex.ru yandex.ru yandex.com data:; media-src yastatic.net *.yandex.net *.yandex.ru *.adfox.ru yandex.ru yandex.com blob: data:; script-src 'nonce-<sequence of characters>' 'unsafe-inline' 'unsafe-eval' yastatic.net *.yandex.ru *.adfox.ru yandex.ru yandex.com verify.yandex.ru*; style-src 'nonce-<sequence of characters>' 'unsafe-inline' 'unsafe-eval' yastatic.net *.adfox.ru; font-src 'self' yastatic.net data:;For
img-src, we recommend adding a lot of *.yandex.com subdomains. This will let you keep your settings unchanged in the future.- Add the value of the nonce attribute applied in the first step into the code of each Yandex Advertising Network ad unit on your site's pages.
<div id="yandex_rtb_R-A-123456-1"></div> <script type="text/javascript" nonce="<sequence of characters>"> (function(w, d, n, s, t) { w[n] = w[n] || []; ...
