Restricting script and iframe src by hostname whitelist

How to restrict script and iframe tag src by hostname whitelist.

As a security measure, LiveWhale restricts the use of script tags and iframe tags within editable regions of web pages and WYSIWYG fields for all content types. If the “src” attribute of these tags does not point to a hostname in the whitelist, they will be stripped.

The hostname whitelist comes prefilled with various approved thirdparty hosts, like YouTube, Google, etc. However, you may add or remove hosts from the whitelist as desired.

Open the LiveWhale public client config (/livewhale/client/public.config.php) using an FTP client or via the command line.

Add a hostname to the whitelist:

$_LW->CONFIG[‘HOSTNAME_WHITELIST’][]=’www.host.com’;

Wildcard prefixes on domains are also allowed as follows:

$_LW->CONFIG[‘HOSTNAME_WHITELIST’][]=’*.host.com’;

This will authorize a host within the page editing environment.

Open the LiveWhale private client config (/livewhale/client/private.config.php) using an FTP client or via the command line.

Repeat the same process for the private config. This will authorize a host within the backend content management interfaces.

Note: Inline scripts (without a src) are only allowed via the “Edit Source” button on the page editing toolbar. This should be considered when authorizing users for that feature.

Need more help? We’re here for you! If this document doesn’t address your question, or if you’d just like to know more, please send an email to support@livewhale.com and we’ll get back to you with more information!

Restricting script and iframe src by hostname whitelist

« Support Home

Search Support

support@livewhale.com

Restricting script and iframe src by hostname whitelist

« Support Home

Search Support

Related Topics

support@livewhale.com