Security
In this section we will cover some essential security concepts and how this affects the use of the Blend widgets.
CORS - Cross-Origin Resource Sharing
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. We maintain a list of allowed origins in our database for any given tenant and the widgets will only work if the origin of the page where they are embedded is in this list. This is to prevent malicious websites from embedding our widgets tricking users into thinking they are booking with the website they are on.
The allowed origins are configured in the Blend App under the External domains section. If you are not a direct Blend customer, but integrating the widgets on behalf of a customer you will need to contact the customer to add the domain(s) of the website where you are embedding the widgets. The allowed origins list is also used to restrict which origins can initiate a Nets payment.
CSP - Content Security Policy
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standardised HTTP headers that allow a server to declare the sources of content that are allowed to be loaded into a page.
If you are using CSP on your website, you will need to add directives to allow the Blend widgets to load. The following domains are used when you use the widgets:
| Domain | Type | Description |
|---|---|---|
https://widgets.blendbooking.com | script-src, style-src | The domain where the widgets JS and CSS is hosted |
https://web-api.blendbooking.com | connect-src | API requests will go here very soon |
https://res.cloudinary.com | img-src | The current domain where images are loaded from |
This list might not be 100% complete, so if you are using CSP and you are having issues with the widgets, please contact us and we will help you.
Currently we only support Cloudinary as an image provider, but others might be added in the future.
CSRF - Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which theyβre currently authenticated. CSRF is not that relevant for the Blend widgets considering they are not used to make any authenticated requests to the API.
XSS - Cross-Site Scripting
Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
When Blend customers curate their content we sanitize it to prevent XSS attacks. We strive to make the widgets as safe as possible by also using safe HTML parsers for rich text content displayed in the widgets. It is still a generally good idea to use a strict Content Security Policy (CSP) to prevent XSS attacks.