Content Security Policy
Content Security Policy (CSP) helps detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. Through the use of an HTTP header, it instructs your web browser what resources are allowed for loading for the page being viewed.
List of Included Fetch Directives
Out of the box, the Content-Security-Policy HTTP header is part of all Resolve Actions Pro web pages. It includes the following Fetch directives, which control the locations from which certain resource types may be loaded:
default-srcserves as fall back for the other fetch directivesfont-srcspecifies valid sources for fonts loaded using@font-faceframe-srcspecifies valid sources for nested browsing context loading using elements such as<frame>and<iframe>img-srcspecifies valid sources for images and faviconsobject-srcspecifies valid sources for<object>,<embed>, and<applet>elementsscript-srcspecifies valid sources for JavaScript and WebAssembly resourcesstyle-srcspecifies valid sources for stylesheetsupgrade-insecure-requestsinstructs the user agent to treat all the site's insecure URLs (HTTP) as though they have been replaced with secure URLs (HTTPS).frame-ancestorsspecifies valid parents that may embed a page using<frame>,<iframe>,<object>,<embed>, or<applet>. Set toself.
Using System Properties, you can append to the Fetch directives ending in -src or disable them altogether. You cannot alter upgrade-insecure-requests or frame-ancestors.
Modifying Fetch Directives
You can control some aspects of the CSP settings, such as appending values to the defaults or disabling all Fetch directives ending in -src. For example, when creating Pages, you might need to extend the default list of locations specified using the Fetch directives.
You cannot remove or replace the CSP Fetch directives that are included by default, only append to them. See the table below to learn what the default directives are.
The System Properties listed in the table below control the available CPS settings.
Any changes to these system properties will go into effect only after restarting all RSView instances in the cluster.
| System Property Name | Description |
|---|---|
csp.disable.all_src | Disables all *-src Fetch directives described in List of Included Fetch Directives. Type: boolean. |
csp.custom.suffix | Adds Fetch directives for Content-Security-Policy other than the defaults. If you include any of the defaults as a custom directive, then all custom directives are ignored. |
csp.default_src.suffix | Values to append to default-src. Note that default-src already includes self, unsafe-inline, and unsafe-eval sources. |
csp.font_src.suffix | Values to append to font-src. Note that font-src already includes self, data:, and https://fonts.gstatic.com/ sources. |
csp.frame_src.suffix | Values to append to frame-src. Note that frame-src already includes self and the Kibana Public Base URL (if Kibana is enabled) sources. |
csp.img_src.suffix | Values to append to img-src. Note that img-src already includes selfand data: sources. |
csp.object_src.suffix | Values to append to object-src. Note that object-src already includes none as a source. |
scsp.script_src.suffix | Values to append to script-src. Note that script-src already includes self, unsafe-inline, and unsafe-eval sources. |
csp.style_src.suffix | Values to append to style-src. Note that style-src already includes self, unsafe-inline, and https://fonts.googleapis.com/css sources. |
Format Tips
When setting System Properties for Fetch directives, use the exact same format mandated by CSP.
For example, for directives ending in -src, type in the new entries that you want to allow separated by a space:
'unsafe-hashes' https://www.example.com/fonts
When passing values to csp.custom.suffix, enter the directive name followed by its value or values. Add more directives separating them with a semicolon (;). For example:
media-src https://example.com/media https://mediatube.com/; manifest-src https://example.com/manifest