We use cookies to try and give you a better experience in Freshdesk.
You can learn more about what kind of cookies we use, why, and how from our Privacy policy. If you hate cookies, or are just on a diet, you can disable them altogether too. Just note that the Freshdesk service is pretty big on some cookies (we love the choco-chip ones), and some portions of Freshdesk may not work properly if you disable cookies.
We’ll also assume you agree to the way we use cookies and are ok with it as described in our Privacy policy, unless you choose to disable them altogether through your browser.
Update to Previously Announced Release
This release builds on the Permissions-Policy HTTP Header release originally announced on 3/31/2026 (Beta: 3/31, Prod: 4/28). Following that release, some lenders experienced issues with trusted third-party vendor scripts being blocked by the new header. As a workaround, the feature was temporarily disabled for affected lenders. This update introduces lender-configurable exceptions so the feature can be re-enabled for all lenders.
Date Available: Beta 6/9, Prod 7/7
Which customers are impacted?: All lenders. Lenders who had the Permissions-Policy feature disabled following the April release will be automatically re-enabled on 6/9.
Required?: Yes, this is a required release. Required releases are features that Blend wants to standardize in the codebase, and typically do not require additional configuration.
How to turn on: This feature will be automatically enabled on the dates listed above.
Purpose of Update and Benefit: The April 2026 Permissions-Policy HTTP Header release added a security control to restrict which browser features and APIs the lending application can access. This update introduces support for exceptions, allowing trusted vendor origins to be allowlisted without requiring a new Blend code release.
Current Behavior: The Permissions-Policy header does not support exceptions for trusted third-party vendors. Lenders whose trusted vendor scripts were blocked by the header had the feature disabled as a workaround, leaving those lenders without the security protections introduced in the April release.
New Behavior: Exceptions for trusted third-party vendor origins can now be added directly in the Setup panel. Lenders who need a vendor origin allowlisted can navigate to Your settings > Setup > Analytics > CSP Directives to add the exception.
The Permissions-Policy header feature will be re-enabled for all lenders on 6/9.
Note: Vendor origins only, not full URLs with a path. Wildcards are not supported.
0 Votes
0 Comments
Login to post a comment