Data Protection and Security
Content-Security-Policy
If the Frontend, that embeds nexxPLAY is using a Content Security Policy, the following URLs, Settings and Protocols must be added
script-src
arc.nexx.cloud
www.gstatic.com
only necessary, if Chromecast is used.
imasdk.googleapis.com
only necessary, if Ads and Ads via Google IMA are used.
style-src
arc.nexx.cloud
font-src
arc.nexx.cloud
frame-src
embed.nexx.cloud
download.nexx.cloud
only necessary, if Download Functionality is used.
img-src
assets.nexx.cloud
images.nexx.cloud
data:
connect-src
arc.nexx.cloud
api.nexx.cloud
services.nexx.cloud
feeds.nexx.cloud
only necessary, if Widgets are used.
nexxtv-events.servicebus.windows.net
*.firebasedatabase.app
only necessary, if Realtime Features are used.
wss:
only necessary, if Realtime Features are used.
media-src
blob:
necessary for Streaming Protocols (HLS / DASH)
navigate-to
download.nexx.cloud
only necessary, if Download Functionality is used.
Each Customer can use own Embed URLs / Feed URLs as CNAME, if desired and configured. In that Case, adding the default *.nexx.cloud URLs is not necessary.
Further Considerations:
nexxPLAY will download automatically and async more Scripts, depending on Features and Browser. Therefore, the Page CSP must allow "unsafe-inline" (at least for "script-src"). If this is not an Option, nexxPLAY supports the CSP-Feature "nonce". Setting "script-src: 'nonce-nexxplay_internal'" will allow Scripts, that have this nonce Attribute. nexxPLAY will add this Attribute to all additional Script Tags, it will create.
nexxPLAY MUST use Inline-Styles in various SItuations, as it is embedded into a Client Page. In order to allow this, at least "style-src" must be set to "unsafe-inline".
Each Customer uses one (or various) Media CDNs for Video/Audio/Live Delivery. Each Customer must therefore add the necessary URLs to at least "media-src" and "connect-src" ("connect-src" is necessary for Licenses and Manifests.)
Simple CSP Example
This Example will make nexxPLAY work completely, even with Realtime and Download Features. Nevertheless, no Content CDN URLs are shown here, as they are always Customer-specific.
Content-Security and Ads
As a general Rule, 3Q does not recommend using CSP on a Page, where Ads will be integrated. Due to the dynamic nature of Media Ads / VAST, its is nearly impossible to list all possible VAST URLs and Media Origins that may occur.
Furthermore, depending on the used Features, it may be necessary to allow even the Javascript Functionality "eval", which may expose a Security Risk. Therefore "unsafe-eval" must be allowed in the CSP, if advanced Ad Settings will be used.
If the Client wants to work with Google IMA, nexxPLAY will automatically download the Google IMA SDK, which will then process all Ad Requests and Reporting. This may pose another Security Hole, that must be addressed propperly.
nexxPLAY is able to use Anti-Ad-Block Technologies in some Situations. For these Purposes, some additional Scripts will be loaded and processed - here, "unsafe-eval" must also be allowed.
iFrame Settings
nexxPLAY iFrames automatically emit CORP and COOP Headers as necessary. If the Environment also needs COEP, the Embed Codes can be extended with the "enableCOEP" Parameter to also emit this Header.
nexxPLAY also supports Environments with "sandbox" Attribute. The only strictly necessary Condition would be "allow-scripts" - everything is optional and depends on the enabled Functionalities. "allow-popups" is often needed for various scenarios, but not for basic Operations.
Third-Party Data Connections
Per Default, nexxPLAY will not send any Data to Third-Parties at all. Nevertheless, depending on enabled Features, the following Products/Services may be integrated (besides the already mentioned various Ad-related Connections):
Google Firebase
this Product is used for Realtime Features (like Comments, Polls, Premieres and HotSpots).
No Data will be sent to Google explicitely, but the Player SDK will actively connect to a Google Firebase Domain and listens for Events.
Recombee / XRoadMedia / IrisTV
these are Third-Party Recommendation Services, which may enhance the Recommendations, given to Users on Media End.
depending on the Service and its Settings, nexxPLAY will send automatically various Usage Events and anonymous Visitor Identifiers to the Services respective Endpoints permanently.
Data Storage
nexxPLAY stores User Preferences and anonymous Device/Session Identifiers in Cookies and localStorage. For Caching Purposes, also sessionStorage may be used.
For Recommendation Optimization (and Features like A/B Testing and AutoResume), nexxPLAY also stores Data in IndexedDB, if the Browser supports this - this Data is stored only locally and will never be transmitted to any 3Q Analysis System.
As (First Party) Cookies are sensitive, you may disable the Usage of Cookies in nexxOMNIA Player Settings - disabling this will affect only a few of the available Usage Analysis Offers in nexxOMNIA.
The complete List of Data, nexxPLAY stores, is exposed via a DSGVO/TCF compliant URL, as described here:
Last updated