localhost
if you wish to test the iframe during development.https://
(except http://localhost
), and have no path. Wildcards to allow all subdomains under a domain are permitted, for example https://*.domain.com
. If you are using another port than 443 for https, you need to include a line allowing it, for example https://dev.domain.com:8080
.?avatarUrl=<url>
feature. The domain used for hosting your avatars must be added to the "Allowed domains" list in order for the images to show up.content-security-policy
section