Csp Header Provider (web-CspHeaderProvider)
https://content-security-policy.com/ provides additional information on the Content-Security-Policy HTTP response header.
The Security Dashboard provides information about the HTTP Header configuration and whether there is any performance degradation. It provides notification for any non-secure headers and explains why the settings are not secure. To secure the header's settings, set the values as described in the properties table of the “WebService (web-WebService)” topic.
Figure 222. Content-Security-Policy properties
To access this Property Sheet, expand and double-click Content-Security-Policy.
The term ‘self’ in the various –src (source) properties instructs the software to load resources from the same origin, that is, the same scheme, host and part.
In addition to the standard properties (Enabled and Status), these properties are unique to this component.
| Property | Default value | Description |
|---|---|---|
| Violation Text | text | Creates the text to display when a browser reports a Content-Security-Policy violation to a station, which logs it in the web.reporting.csp log.
The station logs the first violation with SEVERE priority, and subsequent violations as FINE. NOTE: A Content-Security-Policy violation should not typically occur during normal usage of the system. If you receive one, consider whether your Content-Security-Policy configuration should be changed to match browser behavior or if the violation represents an attempted XSS attack.
|
| child-src | text | Defines the valid sources for web workers and nested browsing contexts loaded using elements, such as <frame> or <iframe>. |
| connect-src | text (defaults to 'self' workbench ws://%hostname%:%port% wss://%hostname%:%port%) | Restricts the URLs that can be loaded using script interfaces.
You can set up a template so that all Content-Security-Policy directives reference the %scheme%, %hostname%, and %port% from the originating HTTP request. NOTE: When viewing HTML views in
|
| default-src | text (defaults to 'self' workbench) | Serves as a fallback for the other fetch directives. |
| frame-src | text | Specifies valid sources for nested browsing contexts loading using elements such as <frame> or <iframe>. |
| font-src | text | Specifies valid sources for fonts loaded using @font face. |
| img-src | text (defaults to 'self' workbench data:) | Specifies valid sources of images and favicons. |
| manifest-src | text | Specifies valid sources of application manifest files. |
| media-src | text | Specifies valid sources for loading media using the <audio>, <video> and <track> elements. |
| object-src | text | Specifies valid sources for the <object>, <embed>, and <applet> elements. |
| report-uri | text (defaults to /csp-reports) | Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. |
| script-src | text (defaults to 'self' workbench 'unsafe-inline' 'unsafe-eval') | Specifies valid sources for JavaScript. |
| style-src | text (defaults to 'self' workbench 'unsafe-inline') | Specifies valid sources for stylesheets. |
| Additional Directives | text | Provides a location to enter any Content-Security-Policy directives not covered by the other properties on this component. |