Placing ads on websites with CSP
If you want ads displayed on your site, embed the ad block code inside the HTML code of your site pages. Websites that support the Content Security Policy will only execute this embed code under special circumstances. In particular, the browser needs to receive permission to process data in the HTTP header, which includes the permission to display ads, load images, and use styles.
Add the following code to the HTTP header:
Content-Security-Policy:
default-src 'none';
connect-src 'self' an.yandex.ru strm.yandex.ru verify.yandex.ru *.verify.yandex.ru mc.yandex.ru yandex.st yastatic.net matchid.adfox.yandex.ru adfox.yandex.ru ads.adfox.ru ads6.adfox.ru jstracer.yandex.ru yastat.net yandex.ru;
frame-src awaps.yandex.net yandexadexchange.net *.yandexadexchange.net yastatic.net *.yandex.ru banners.adfox.ru yastat.net;
img-src 'self' data: *.yandex.net an.yandex.ru verify.yandex.ru *.verify.yandex.ru banners.adfox.ru content.adfox.ru ads.adfox.ru ads6.adfox.ru yastat.net;
media-src *.yandex.net strm.yandex.ru *.strm.yandex.ru yandex.ru yandex.st yastatic.net banners.adfox.ru content.adfox.ru yastat.net data:;
script-src 'unsafe-inline' 'unsafe-eval' an.yandex.ru yandex.st yastatic.net mc.yandex.ru banners.adfox.ru ads.adfox.ru ads6.adfox.ru yastat.net yandex.ru;
style-src 'unsafe-inline' 'unsafe-eval' yandex.st yastatic.net banners.adfox.ru content.adfox.ru yastat.net;
font-src 'self' data: an.yandex.ru yastatic.net yastat.net
For img-src
, we recommend adding a lot of *.yandex.com subdomains. This will let you keep your settings unchanged in the future.
The HTTP header directives script-src and style-src should receive the nonce attribute. This attribute must contain a string value in the form of a random sequence of Latin characters and numbers. This value must be randomly generated on the server, independently for each request.
Content-Security-Policy: script-src 'nonce-<последовательность символов>'; style-src 'nonce-<последовательность символов>'
Add the following code to the HTTP header:
Content-Security-Policy: default-src 'none'; connect-src 'self' an.yandex.ru strm.yandex.ru verify.yandex.ru *.verify.yandex.ru mc.yandex.ru yandex.st yastatic.net matchid.adfox.yandex.ru adfox.yandex.ru ads.adfox.ru ads6.adfox.ru jstracer.yandex.ru yastat.net yandex.ru; frame-src awaps.yandex.net yandexadexchange.net *.yandexadexchange.net yastatic.net *.yandex.ru banners.adfox.ru yastat.net; img-src 'self' data: *.yandex.net an.yandex.ru verify.yandex.ru *.verify.yandex.ru banners.adfox.ru content.adfox.ru ads.adfox.ru ads6.adfox.ru yastat.net; media-src *.yandex.net strm.yandex.ru *.strm.yandex.ru yandex.ru yandex.st yastatic.net banners.adfox.ru content.adfox.ru yastat.net data:; script-src 'nonce-<последовательность символов>' 'unsafe-inline' 'unsafe-eval' an.yandex.ru yandex.st yastatic.net mc.yandex.ru banners.adfox.ru ads.adfox.ru ads6.adfox.ru yastat.net yandex.ru; style-src 'nonce-<последовательность символов>' 'unsafe-inline' 'unsafe-eval' yandex.st yastatic.net banners.adfox.ru content.adfox.ru yastat.net; font-src 'self' data: an.yandex.ru yastatic.net yastat.net
For
img-src
, we recommend adding a lot of *.yandex.com subdomains. This will let you keep your settings unchanged in the future.- Add the value of the nonce attribute applied in the first step into the code of each YAN ad block on your website's pages.
<div id="yandex_rtb_R-A-123456-1"></div> <script type="text/javascript" nonce="<последовательность символов>"> (function(w, d, n, s, t) { w[n] = w[n] || []; ...