Improvement
Jul 6, 2025
For all store admins & integration partners:
What’s new
Content-Security-Policy (CSP) enforced
We now send the header Content-Security-Policy (not report-only). We informed in change log about the upcoming enforcement in 2024 and have used read-only parameter since then for transition period.
Mixed-content rule switched to upgrade-insecure-requests; – secure by default.
Simplified image policy
img-src is relaxed to 'self' data: https:.
No more country-specific Google host list to maintain.
Google Tag Manager support
frame-src now whitelists https://*.googletagmanager.com.
Live policy reports
Violation reports go to https://aicommerce.store/api/service/cspReport.
Helps us spot and fix blocked URLs in real time.
Action required for new integrations
Add your domains up-front – any script, iframe, websocket or font from an unlisted host is blocked by default.
Send the hostnames and required directive (script-src, connect-src, etc.) to DevOps before launching.Forgot to add it?
The request is blocked, you’ll see it in the browser console and our “URL block” dashboard.
We can auto-whitelist the domain afterwards, but the service stays offline until someone updates the policy.
Why this is good news
• Tighter security – prevents malicious third-party content and data-leak beacons.
• Zero mixed-content warnings – browsers silently upgrade insecure links.
• Faster issue tracing – one CSP violation report pinpoints exactly what broke.
Take a moment to review any custom plugins or marketing tags you plan to add. Send us the host list early and you’re good to go!
