Considerations & Known Limitations

Flutter - NeuroID does not support applications developed using the Flutter framework.
HTML Field Identifiers
NeuroID differentiates form fields in your web application based on how they are decorated in your application. NeuroID can utilize any existing property on your HTML elements, but at least one property must exist on each. Ideally, each field is uniquely recognizable and observable by NeuroID’s JavaScript library. If your website does not consistently decorate your form field elements, please reference our documentation for more information on adding HTML5 data attributes that NeuroID can utilize.
Shadow DOM, iframes, and DOM encapsulation frameworks
Web frameworks that utilize inline frames (iframes), the Shadow DOM API, or other encapsulation measures may prohibit the NeuroID JavaScript library from observing user interactions with form fields on the page. If your website utilizes encapsulation, behavioral observation by NeuroID may be unavailable or incomplete if care is not taken in the implementation of our JavaScript. While in some cases, this is an insurmountable limitation, in other cases, additional advanced configuration is necessary to allow NeuroID’s data collection library to function.
- iframes - You must run NeuroID’s JavaScript library from within the iframe that contains the fields from which NeuroID will capture behavior.
- Shadow DOM - In web applications that leverage the attachShadow() method, there are two methods of encapsulation referred to as “open Shadow DOM” and “closed Shadow DOM,” which occur when you set the mode property to either open or closed when declaring the Shadow DOM. A recursive function may be used to capture behavior from elements enclosed within an open Shadow DOM. However, as the name suggests, elements enclosed within a closed Shadow DOM are inaccessible. Please contact NeuroID customer support for more information on collection from an open Shadow DOM before proceeding with your installation.
- Angular - In some older versions of Angular we have noticed performance degradation due to the way Angular’s change detection works. To fix this, any commands to the NeuroID library should be called from within the `runOutsideAngular` method which enables the NeuroID functions to run outside of the Angular zone. This may be required if your application is constructed with Angular version 8 or older.
Salesforce Lightning Web Components (LWC)
The Salesforce LWC development framework has functions that disable event propagation to other components which stops events from being captured by NeuroID’s JavaScript. If your application is developed with this framework, an additional function will need to be added to the NeuroID JavaScript snippet which overrides the default stopPropagation behavior in order to add listeners for page events and target changes. Please contact NeuroID customer support for more information before proceeding with your installation.

Domain Safelisting

To integrate with NeuroID's services, you must safelist the following domains:

https://scripts.neuro-id.com/ - The subdomain that is hosting the NeuroID JavaScript assets.
https://advanced.neuro-id.com/ - The subdomain that is hosting the device and network assets.
https://receiver.neuroid.cloud/ - The subdomain that is receiving behavior events via POSTs.

Content Security Policy (CSP)

The Content-Security-Policy (CSP) is a security feature in web browsers that helps prevent cross-site scripting (XSS) attacks by restricting the resources (e.g., scripts, styles, images) that a web page can load or execute. You must update your CSP to allow third-party JavaScript for NeuroID to work. The general steps are:

Determine the current CSP setting: Check the current CSP setting of your app by looking at the Content-Security-Policy header in the HTTP response of your web server. You can use the browser's developer tools to inspect the network requests and responses.
Modify the CSP setting: You must update your policy to be able to:

load JavaScript assets from the https://scripts.neuro-id.com/ subdomain,
load JavaScript assets from the https://advanced.neuro-id.com/subdomain,
GET data from the https://advanced.neuro-id.com/ subdomain,
POST data to the https://receiver.neuroid.cloud/ domain,

Modify the CSP setting to allow scripts.neuro-id.com:

Content-Security-Policy: script-src 'self' scripts.neuro-id.com advanced.neuro-id.com;

If your CSP utilizes connect-src, this rule may be used for domains that require HTTP calls. Otherwise, place these in the default-src section of your CSP.

NOTE Optionally, use a subdomain wildcard pattern to allow access to *.neuro-id.com and *.neuroid.cloud. The most general wildcard pattern uses * and places these subdomains in the default-src section of your CSP.

Content-Security-Policy: default-src 'self' *.neuro-id.com *.neuroid.cloud;