Csp Header Provider (web-CspHeaderProvider)
this header configures a typical HTML5 HX profile.You may add additional sources to these directives, but removing any of the default sources may cause your views to stop working.
https://content-security-policy.com/ provides additional information on the Content-Security-Policy HTTP response header.
The Security Dashboard provides information about the HTTP Header configuration and whether there is any performance degradation. It provides notification for any non-secure headers and explains why the settings are not secure. To secure the header's settings, set the values as described in the properties table of the “WebService (web-WebService)” topic.
To access this Property Sheet, expand and double-click Content-Security-Policy.
The term ‘self’ in the various –src (source) properties instructs the software to load resources from the same origin, that is, the same scheme, host and part.
In addition to the standard properties (Enabled and Status), these properties are unique to this component.
| Property | Default value | Description |
|---|---|---|
| Violation Text | text | Creates the text to display when a browser reports a Content-Security-Policy violation to a station, which
logs it in the web.reporting.csp log. The station logs the first violation with SEVERE priority, and subsequent violations as FINE. Note: A Content-Security-Policy violation
should not typically occur during normal usage of the system. If you
receive one, consider whether your Content-Security-Policy configuration should be changed to match browser behavior or if
the violation represents an attempted XSS attack. |
| child-src | text | Defines the valid sources for web workers and nested browsing contexts loaded using elements, such as <frame> or <iframe>. |
| connect-src | text (defaults to 'self' workbench ws://%hostname%:%port% wss://%hostname%:%port%) | Restricts the URLs that can be loaded using script interfaces. You can set up a template so that all Content-Security-Policy directives reference the %scheme%, %hostname%, and %port% from the
originating HTTP request. Note: When viewing HTML views in Workbench, this request is made to Workbench. Content-Security-Policy headers include this by default. Removing it may cause HTML views
to stop working in Workbench. |
| default-src | text (defaults to 'self' workbench) | Serves as a fallback for the other fetch directives. |
| frame-src | text | Specifies valid sources for nested browsing contexts loading using elements such as <frame> or <iframe>. |
| font-src | text | Specifies valid sources for fonts loaded using @font face. |
| img-src | text (defaults to 'self' workbench data:) | Specifies valid sources of images and favicons. |
| manifest-src | text | Specifies valid sources of application manifest files. |
| media-src | text | Specifies valid sources for loading media using the <audio>, <video> and <track> elements. |
| object-src | text | Specifies valid sources for the <object>, <embed>, and <applet> elements. |
| report-uri | text (defaults to /csp-reports) | Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. |
| script-src | text (defaults to 'self' workbench 'unsafe-inline' 'unsafe-eval') | Specifies valid sources for JavaScript. |
| style-src | text (defaults to 'self' workbench 'unsafe-inline') | Specifies valid sources for stylesheets. |
| Additional Directives | text | Provides a location to enter any Content-Security-Policy directives not covered by the other properties on this component. |