Whitelisted Hosts
You can now specify a list of hosts allowed to embed the Pipe recorder. Such a list helps prevent abuse from malicious users that could embed your Pipe Recording Client embed code on other websites.
There’s a different list for each of your environments.
To add to the list or edit the list go to the edit environment section and scroll down to the whitelisted hosts section.
The list is empty by default, meaning any host is allowed.
When adding a host, do not include the protocol (https:// or http://) or any specific web page path. For example, mywebsite.com is correct, but https://mywebsite.com/signup is incorrect.
The port number does not need to be specified. If it is, it will be ignored.
You can also use localhost or any IP as a host.
You can use the wildcard prefix * to allow all subdomains.
The maximum length of any host entry must be 100 characters.
Here are some examples of how validation works:
| Host entry | Valid | Invalid |
|---|---|---|
example.com | example.com | www.example.com |
www.example.com | www.example.com | example.com |
*.example.com | all example.com subdomains | example.com |
*.subdomain.example.com | all subdomains of subdomain.example.com | test.another-subdomain.example.com |
*.*.example.com | all 2-level subdomains of example.com | www.example.com |
When the Pipe Recording Client is embedded on a host that’s not in the list, the recording client will prevent the embed code from running and show an error message.
- If the Pipe recorder is embedded in a page with the header
Referrer-Policyset tono-referrerfornon-corsrequest modes. - If the Pipe recorder is included in a web page through an iframe with a
sandboxattribute that’s either empty (all restrictions are applied) or doesn’t contain the valueallow-same-origin.
In such cases, if you have any entry in the list of allowed hosts above, the Pipe recorder will not run. It will show a specific error message and prevent any type of recording submission (record or upload).