Skip to content
LootBox Solutions

Security & branding

Allowed embedding origins (CSP)

Browsers will refuse to render the iframe until your origin is on the allow list. Set it in Settings → Integration as a comma-separated list:

https://casino.example,https://www.casino.example
  • This drives the frame-ancestors Content-Security-Policy directive on /play.
  • Empty = same-origin only (the iframe won’t embed anywhere external).
  • Include every host you embed from, including www and any staging domains.
  • Use exact origins (scheme + host, optional port). No wildcards for production brands.

If the iframe shows a blank frame or a console CSP error, this is almost always the cause.

Branding & theme tokens

Set your brand color in Settings → Branding as a hex value (#rrggbb). It reaches the game app as a CSS variable (--brand) and themes buttons, accents, and highlights.

Theme tokens (colors, font, radius) are read from your operator settings and applied at session start. The bootstrap freezes them for the life of a session — editing branding mid-session does not retheme a running game; it applies to new sessions.

Live preview

The admin Integration → Iframe screen renders /play/preview and pushes token changes into it live via postMessage (theme.preview), so you can tune colors without minting real sessions. This preview channel is admin-only and distinct from the runtime messaging in Host ↔ iframe messaging.

Light / dark

When embedded, the host page can mirror its light/dark preference into the iframe with a theme message (see messaging). Otherwise the game app follows its own default.

Logo & display name

Your operator name and logo URL are part of the bootstrap and shown in the game app header. Set them in operator settings.