Data Protection and Security
If the Frontend, that embeds nexxPLAY is using a Content Security Policy, the following URLs, Settings and Protocols must be added
- nexxPLAY will download automatically and async more Scripts, depending on Features and Browser. Therefore, the Page CSP must allow "unsafe-inline" (at least for "script-src"). If this is not an Option, nexxPLAY supports the CSP-Feature "nonce". Setting "script-src: 'nonce-nexxplay_internal'" will allow Scripts, that have this nonce Attribute. nexxPLAY will add this Attribute to all additional Script Tags, it will create.
- nexxPLAY MUST use Inline-Styles in various SItuations, as it is embedded into a Client Page. In order to allow this, at least "style-src" must be set to "unsafe-inline".
- Each Customer uses one (or various) Media CDNs for Video/Audio/Live Delivery. Each Customer must therefore add the necessary URLs to at least "media-src" and "connect-src" ("connect-src" is necessary for Licenses and Manifests.)
content="default-src 'self' data: blob: wss: *.nexx.cloud *.windows.net;
media-src blob: data: *;
script-src 'nonce-nexxplay_internal' *.nexx.cloud;
style-src 'unsafe-inline' *.nexx.cloud;
base-uri 'none';" />
This Example will make nexxPLAY work completely, even with Realtime and Download Features. Nevertheless, no Content CDN URLs are shown here, as they are always Customer-specific.
As a general Rule, 3Q nexx does not recommend using CSP on a Page, where Ads will be integrated. Due to the dynamic nature of Media Ads / VAST, its is nearly impossible to list all possible VAST URLs and Media Origins that may occur.
If the Client wants to work with Google IMA, nexxPLAY will automatically download the Google IMA SDK, which will then process all Ad Requests and Reporting. This may pose another Security Hole, that must be addressed propperly.
nexxPLAY is able to use Anti-Ad-Block Technologies in some Situations. For these Purposes, some additional Scripts will be loaded and processed - here, "unsafe-eval" must also be allowed.
Per Default, nexxPLAY will not send any Data to Third-Parties at all. Nevertheless, depending on enabled Features, the following Products/Services may be integrated (besides the already mentioned various Ad-related Connections):
- Google Firebase
- this Product is used for Realtime Features (like Comments, Polls, Premieres and HotSpots).
- No Data will be sent to Google explicitely, but the Player SDK will actively connect to a Google Firebase Domain and listens for Events.
- Recombee / XRoadMedia / IrisTV
- these are Third-Party Recommendation Services, which may enhance the Recommendations, given to Users on Media End.
- depending on the Service and its Settings, nexxPLAY will send automatically various Usage Events and anonymous Visitor Identifiers to the Services respective Endpoints permanently.
nexxPLAY stores User Preferences and anonymous Device/Session Identifiers in Cookies and localStorage. For Caching Purposes, also sessionStorage may be used.
For Recommendation Optimization (and Features like A/B Testing and AutoResume), nexxPLAY also stores Data in IndexedDB, if the Browser supports this - this Data is stored only locally and will never be transmitted to any 3Q nexx Analysis System.
The complete List of Data, nexxPLAY stores, is exposed via a DSGVO/TCF compliant URL, as described here: