Data Protection and Security

Content-Security-Policy

If the Frontend, that embeds nexxPLAY is using a Content Security Policy, the following URLs, Settings and Protocols must be added

PolicyURLInfo

script-src

arc.nexx.cloud

www.gstatic.com

only necessary, if Chromecast is used.

imasdk.googleapis.com

only necessary, if Ads and Ads via Google IMA are used.

style-src

arc.nexx.cloud

font-src

arc.nexx.cloud

frame-src

embed.nexx.cloud

download.nexx.cloud

only necessary, if Download Functionality is used.

img-src

assets.nexx.cloud

images.nexx.cloud

data:

connect-src

arc.nexx.cloud

api.nexx.cloud

services.nexx.cloud

feeds.nexx.cloud

only necessary, if Widgets are used.

nexxtv-events.servicebus.windows.net

*.firebasedatabase.app

only necessary, if Realtime Features are used.

wss:

only necessary, if Realtime Features are used.

media-src

blob:

necessary for Streaming Protocols (HLS / DASH)

navigate-to

download.nexx.cloud

only necessary, if Download Functionality is used.

Each Customer can use own Embed URLs / Feed URLs as CNAME, if desired and configured. In that Case, adding the default *.nexx.cloud URLs is not necessary.

Further Considerations:

  • nexxPLAY will download automatically and async more Scripts, depending on Features and Browser. Therefore, the Page CSP must allow "unsafe-inline" (at least for "script-src"). If this is not an Option, nexxPLAY supports the CSP-Feature "nonce". Setting "script-src: 'nonce-nexxplay_internal'" will allow Scripts, that have this nonce Attribute. nexxPLAY will add this Attribute to all additional Script Tags, it will create.

  • nexxPLAY MUST use Inline-Styles in various SItuations, as it is embedded into a Client Page. In order to allow this, at least "style-src" must be set to "unsafe-inline".

  • Each Customer uses one (or various) Media CDNs for Video/Audio/Live Delivery. Each Customer must therefore add the necessary URLs to at least "media-src" and "connect-src" ("connect-src" is necessary for Licenses and Manifests.)

Simple CSP Example

<meta http-equiv="Content-Security-Policy" 
content="default-src 'self' data: blob: wss: *.nexx.cloud *.windows.net; 
         media-src blob: data: *;
         script-src 'nonce-nexxplay_internal' *.nexx.cloud;
         style-src 'unsafe-inline' *.nexx.cloud;
         object-src 'none';
         base-uri 'none';" />

This Example will make nexxPLAY work completely, even with Realtime and Download Features. Nevertheless, no Content CDN URLs are shown here, as they are always Customer-specific.

Content-Security and Ads

As a general Rule, 3Q does not recommend using CSP on a Page, where Ads will be integrated. Due to the dynamic nature of Media Ads / VAST, its is nearly impossible to list all possible VAST URLs and Media Origins that may occur.

Furthermore, depending on the used Features, it may be necessary to allow even the Javascript Functionality "eval", which may expose a Security Risk. Therefore "unsafe-eval" must be allowed in the CSP, if advanced Ad Settings will be used.

If the Client wants to work with Google IMA, nexxPLAY will automatically download the Google IMA SDK, which will then process all Ad Requests and Reporting. This may pose another Security Hole, that must be addressed propperly.

nexxPLAY is able to use Anti-Ad-Block Technologies in some Situations. For these Purposes, some additional Scripts will be loaded and processed - here, "unsafe-eval" must also be allowed.

iFrame Settings

nexxPLAY iFrames automatically emit CORP and COOP Headers as necessary. If the Environment also needs COEP, the Embed Codes can be extended with the "enableCOEP" Parameter to also emit this Header.

nexxPLAY also supports Environments with "sandbox" Attribute. The only strictly necessary Condition would be "allow-scripts" - everything is optional and depends on the enabled Functionalities. "allow-popups" is often needed for various scenarios, but not for basic Operations.

Third-Party Data Connections

Per Default, nexxPLAY will not send any Data to Third-Parties at all. Nevertheless, depending on enabled Features, the following Products/Services may be integrated (besides the already mentioned various Ad-related Connections):

  • Google Firebase

    • this Product is used for Realtime Features (like Comments, Polls, Premieres and HotSpots).

    • No Data will be sent to Google explicitely, but the Player SDK will actively connect to a Google Firebase Domain and listens for Events.

  • Recombee / XRoadMedia / IrisTV

    • these are Third-Party Recommendation Services, which may enhance the Recommendations, given to Users on Media End.

    • depending on the Service and its Settings, nexxPLAY will send automatically various Usage Events and anonymous Visitor Identifiers to the Services respective Endpoints permanently.

Data Storage

nexxPLAY stores User Preferences and anonymous Device/Session Identifiers in Cookies and localStorage. For Caching Purposes, also sessionStorage may be used.

For Recommendation Optimization (and Features like A/B Testing and AutoResume), nexxPLAY also stores Data in IndexedDB, if the Browser supports this - this Data is stored only locally and will never be transmitted to any 3Q Analysis System.

As (First Party) Cookies are sensitive, you may disable the Usage of Cookies in nexxOMNIA Player Settings - disabling this will affect only a few of the available Usage Analysis Offers in nexxOMNIA.

The complete List of Data, nexxPLAY stores, is exposed via a DSGVO/TCF compliant URL, as described here:

GDPR and TCF 2.0

Last updated