In this article, we will cover:
- Securing Your Tint Embeds: Whitelisting and CSP Best Practices
- What is Whitelisting?
- What is CSP?
- Other potential connected whitelist options that are used by TINT
What is Whitelisting?
Whitelisting allows access to only pre-approved entities—such as IP addresses, domains, or users—preventing unauthorized interactions. For *.tintup.com, this means ensuring only trusted resources or users can interact with the embed or backend services.
How to Implement Whitelisting for the Embed Script or URLs:
Restrict the embed script to trusted domains, ensuring it can only be loaded where authorized. TINT's embed scripts are typically served from the following URLs:
-
-
https://app.tintup.com/dist/embedded.js- Legacy URLs:
https://www.tintup.com/app/dist/embedded.jshttps://cdn.hypemarks.com/pages/a5b5e5.jshttps://cdn.hypemarks.com/dist/embedded.js
-
How It’s Done: Ask your web team to configure your server or CDN (where the script is stored) to allow it to work only on trusted websites and services.
Example: Only allow scripts to load from *.tintup.comif your embed is https://app.tintup.com/dist/embedded.js or https://www.tintup.com/app/dist/embedded.js
Ifhttps://cdn.hypemarks.com/pages/a5b5e5.js or https://cdn.hypemarks.com/dist/embedded.js is the embed script, only allows scripts to load from https://*.hypemarks.com;
As the Hypemarks script is no longer actively used, we suggested that you make sure that you whitelist both https://*.hypemarks.com; and *.tintup.comto future-proof your web embeds.
What is CSP?
Content Security Policy (CSP) is a browser-level security mechanism that controls which resources (scripts, styles, images, etc.) can be loaded on a web page. It prevents malicious code execution and resource injection attacks.
You can use a CSP header to specify where scripts are allowed to load from.
How It’s Done: Ask your web team to add the following Content Security Policy header to your website’s configuration.
Example: Only allow scripts to load from *.tintup.comif your embed is https://app.tintup.com/dist/embedded.js or https://www.tintup.com/app/dist/embedded.js
Ifhttps://cdn.hypemarks.com/pages/a5b5e5.js or https://cdn.hypemarks.com/dist/embedded.js is the embed script, only allows scripts to load from https://*.hypemarks.com;
How to Implement CSP for Tint Embeds (New Version):
Add a CSP header to your website’s HTTP responses. For example:
-
script-src: Allows JavaScript to be loaded only from your own domain - (
'self') andhttps://*.tintup.com -
frame-src: Ensures onlyhttps://*.tintup.comcan be embedded in frames (e.g., for the embed widget) -
connect-src: Allows data fetching or API calls tohttps://*.tintup.comandhttps://*.amazonaws.comfor TINT's analytics
How to Implement CSP for Tint Embeds (Old Version):
As the Hypemarks script is no longer actively used, we suggested that you make sure that you whitelist both https://*.hypemarks.com; and *.tintup.comto future-proof your web embeds.
Other potential connected whitelist options that are used by TINT:
-
Instagram
https://*.instagram.comhttps://*.cdninstagram.com
-
X / Twitter
https://api.twitter.comhttps://twitter.comhttps://pbs.twimg.comhttps://*.x.com
-
Facebook
https://*.facebook.comhttps://scontent.xx.fbcdn.nethttps://www.facebook.net
-
TikTok
https://*.tiktok.comhttps://sf16-ies-music-va.tiktok.comhttps://www.tiktokcdn.com
-
Pinterest
https://www.pinterest.comhttps://www.pinterest.com/api/https://pinimg.com
If you have any questions regarding whitelist and CSP, don't hesitate to contact Technical Support at support-advocacy@trueloyal.com.
Comments
Please sign in to leave a comment.