| Id: | 18193 |
| Product: | finPOWER Connect Cloud |
| Type: | NEW |
| Version: | 3.04.00.28 |
| Opened: | 04/05/2021 |
| Closed: | 18/05/2021 |
| Released: | 01/07/2021 |
| Job: | J026496 |
 High Importance |
|
finPOWER Connect Cloud Configuration form; Security page now allows a Content Security Policy (CSP) to be defined
The finPOWER Connect Cloud Configuration form, General section, Security page now allows a Content Security Policy (CSP) to be defined.
The can be one of the following:
- None
- No Content Security Policy headers will be written
- Content Security Policy
- A Content Security Policy header will be written meaning that any HTML Widgets accessing resources outside of the default list (below) will have blocked content
- Content Security Policy (Report Only)
- As per the above but the resources will not actually be blocked; instead, a warning will be written to the web browser's console
By default, the following (as at version 3.04.00) Content Security Policy Header is used:
Content-Security-Policy: default-src 'self' *.google.com ;script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.googleapis.com *.gstatic.com;img-src 'self' data: *.gstatic.com;style-src 'self' 'unsafe-inline' *.google.com *.googleapis.com *.gstatic.com *.cloudflare.com;font-src 'self' *.google.com *.googleapis.com *.gstatic.com *.cloudflare.com;frame-src 'self' *.google.com
If the Method is set to any value other than 'None' then a set of fields are displayed allowing acceptable content to be defined. This will then be appended to the default values.
NOTE: The values for the various parts are shown as blank tips on the fields below the "Method" dropdown.
This content will be appended to the relevant section of the above "Content-Security-Policy" header.
You can use the "Cotent Security Policy (Report Only)" to detect whether you need to authorise any locations. For example, if the following is reported in the browser debug window:
[Report Only] Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' *.google.com *.googleapis.com *.gstatic.com". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
You could enter "maxcdn.bootstrapcdn.com" in the "style-src" field.
Formatting of these values is outside of the scope of this article and should be undertaken by someone who understands how CSPs work.
The following article may be useful:https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP