Adding domains to the Content Security Policy

To maintain PCI compliance, Jumbo Lottery Platform (JLP) is enabling Content Security Policy (CSP) for all Partner Lottery Sites.

This change has been carefully implemented to ensure there is no impact on existing site functionality, as our engineers have tailored the CSP settings for each site individually. However, moving forward, you may encounter instances where scripts added via Google Tag Manager (GTM) are blocked. This guide will walk you through the process of allowing these scripts by adding their source domains to the CSP.

Identifying CSP Errors

1. Navigate to your Lottery website's home page.

2. Press F12 to open Developer Tools and select the Console tab.
   

3. Refresh your page.

4. If any CSP-related errors appear, follow the steps below to resolve them.
   
   

Updating the CSP Configuration

1. Log in to the Jumbo Lottery Platform (JLP) admin site.

2. Navigate to:

   • Operations → Platform Configs → Site Config
     
     

   • Search for CSP and click Edit.
     
     

3. Depending on the CSP error, add the appropriate domain to the correct policy:

   • script-src: Allows execution of scripts from the specified domain.

   • style-src: Allows loading of styles from the specified domain.

   • connect-src: Allows requests to specified domains for data fetching or API calls.

4. Click Add item for the required CSP directive.
   
   

5. Enter a description (this can be anything meaningful for reference).

6. Enter the domain in the Source field.
   
   

7. Click Save.
   
   

Verifying the CSP Update

1. Navigate to your Lottery website's home page.

2. Press F12 to open Developer Tools.

3. Go to the Network tab.
   

4. Select All, then refresh your page.
   
   

5. Scroll to the top of the Network tab.

6. Locate and click the www.yourSite.com.au request in the Name column.

7. Click the Headers tab.

8. Find the Content-Security-Policy section and verify that the domain you added is listed.

9. Return to the Console tab and confirm that the previous CSP errors no longer appear.

By following these steps, you can ensure that necessary third-party scripts and resources function correctly while maintaining security and compliance with CSP policies.