Each page that is expected to be included in the usages statistics requires to load the Offen script. The script needs to be configured with the Account ID you want to use for that page.
The script is served from
https://<your-installation-domain>/script.js and can be included in any portion of your document, for example as portion of the document’s
<script async src="https://<your-installation-domain>/script.js" data-account-id="<your-account-id>"></script>
Your Account ID and the entire snippet can be found when you log in to the Auditorium and select the account you want use.
If you serve your site with a Content-Security-Policy, there are a few things to consider when adding the Offen script:
As the Offen script is served from a different subdomain, you need to allow the domain as a
script-src 'self' https://offen.mysite.org.
Offen isolates all handling of usage data in an
iframe element so it can leverage the Same-Origin Policy to protect data from unwanted access from 3rd parties. Your Content-Security-Policy therefore needs to specify a
frame-src 'self' https://offen.mysite.org
When displaying the consent banner, Offen injects an inline stylesheet to position the banner element on the site. This means you need to allow
unsafe-inline styles in your Content-Security-Policy:
style-src 'self' 'unsafe-inline'
A minimal Content-Security-Policy to use Offen on your site could look like:
Content-Security-Policy: default-src 'self'; script-src 'self' offen.mysite.org; frame-src 'self' offen.mysite.org; style-src 'self' 'unsafe-inline'