Security
For the host (partner)
Section titled “For the host (partner)”- Always set an explicit
targetOrigin— never*in production. - Validate
event.originandevent.sourceon inbound messages (useisTrustedPostMessageEvent). - Prefer short-lived tokens and refresh them via
updateAuthToken()before expiry. - Avoid exposing Segmentify API keys in client-side code where possible — prefer a partner backend-for-frontend (BFF) proxy.
- Call
controller.dispose()(iframe) orunmount()(mount) when removing CDP.
CSP on your page (allow the CDP frame)
Section titled “CSP on your page (allow the CDP frame)”Content-Security-Policy: frame-src https://cdp.segmentify.com;For Segmentify (platform)
Section titled “For Segmentify (platform)”- Add partner domains to the API CORS allowlist.
- Issue scoped API keys per partner (least privilege).
- Serve CDP embed pages with a
frame-ancestorspolicy restricted to partner domains. - Support token refresh via
SEGMENTIFY_HOST_AUTH_UPDATE. - Log
SEGMENTIFY_MFE_ERRORevents reported by embeds.
CSP on the CDP embed origin (set by Segmentify)
Section titled “CSP on the CDP embed origin (set by Segmentify)”Content-Security-Policy: frame-ancestors https://partner.example.com;CDP API calls originate from the browser. The partner origin must be on the Segmentify API CORS allowlist, or the calls should be proxied through a partner BFF. CORS failures show up as blocked network requests — see Troubleshooting.