Leo User Guide

CSP (Content Security Policy)

Updated on

We suggest you reach out to us at the Leo Help Desk if you are looking to make changes to CSP.

This section allows the System Administrator to maintain, define, and enforce content security policy rules. The purpose of the Content Security Policy Manager is to allow the Administrator the  bility to limit external content that may be linked into a page. There are three main modes for this: Off, Reporting, and Enforcing. There are controls for allowing or disallowing content, iframes, links, and images from hosts other than the one serving Leo content.

NOTE: Depending on the level of enforcement configured in these settings content may be blocked from the same server depending on several factors in accordance with general origin determination rules. More to the point, by changing all possible settings to Enforcing it is possible to prevent the site from serving content at all.

These rules are offered by the site server and are enforced at the user's browser. Rules are comprised of a directive and a URI. The list of directives is well known. The list as of Level 2 CSP are tabled in  the system for convenience. For further information, please review the following:

Path: Admin Toolbar > Advanced > System Administration > CSP

Leo Content Security Policy

For more information please read our Content Security Policy article.

Directive Types

Here you can define CSP (Content Security Policy) header directive values. You may edit, delete and add new directive values.

For reference and to review available directives currently supported, please see: MDN Content-Security-Policy  

Manage URLs

These screens will allow you to define the available CSP (Content Security Policy) URLs. Certain types of CSP directives, called Fetch Directives, control locations from which certain resource types may be loaded.

For more information on fetch directives, please see: Fetch Directives

Mime Type Values

On this screen you can define the available CSP (Content Security Policy) mime types. You may edit, delete and add new mime types. Once entered on the CSP Mime Type Manager screen, the mime type will be available for adding to the plugin-type directive on the CSP Rules screen.

Browsers often use the MIME type (and not the file extension) to determine how it will process a document; it is therefore important that servers are set up correctly to attach the correct MIME type to the header of the response object.

One or more MIME types can be set for the plugin-types directive.

Directives

This process flow allows the System Administrator to add or deprecate Content Security Policy (CSP) directives. Directives should only be strings that are known and adopted CSP directive  commands.

For example, the base-uri directive would be entered into this system with the ID of base-uri and the description could be copied from the Mozilla developer site, ie 'The base-uri directive defines the URIs  that a user agent may use as the document base URL. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the base element.'

This description does not affect rule-building but it does elucidate the purpose of the directive. The system will only use the directives it knows about for building CSP rules. Thus, directives can be added to the system as they are adopted or deprecated when no longer supported.

Note that the System Administrator controls the CSP mode, which can be:

  • Disabled - CSP directives will be ignored
  • Enabled - CSP directives will be enforced
  • Reporting Only - CSP directives will be examined and violations reported, but not enforced
Types Per Directive

This is a list of all active CSP Directives and their supported values. This is dictated by Content Security Policy 2 definitions from the World Wide Web Consortium (W3C).

The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly  involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks).

For more information about the allowed values for each directive, please see:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Rules

This set of screens allows the System Administrator to modify how the CSP header is generated. A CSP rule is at its simplest a directive and source URI pair. For instance, an installation may want to serve images or scripts only from the originating server. That is one rule. Another installation may want to allow images or scripts from the originating server and from a limited list of sources deemed safe as well.

NOTE: that CSP rules are not activated immediately. Once the rule set has been built in this set of screens, the system administrator will need to navigate to: Path > Admin Toolbar > Advanced > Account Manager > System Admin Options > HTML Meta Tags to generate the CSP header file and activate it. Please refer to this article for more information.

Leo strongly recommends that the System Administrator review and understand at least the following before changing content security policy settings:

NOTE: the System Administrator controls the CSP mode, which can be:

  • Disabled - CSP directives will be ignored
  • Enabled - CSP directives will be enforced
  • Reporting Only - CSP directives will be examined and violations reported, but not enforced
Generate Meta File

Meta File 'cspMeta.inc' Generated:

<!-- CSP Header Settings -->

<!-- @copyright Leo 2018 -->

<!-- Generated by Mary Griffin -->

<!-- Created on 2018-11-08 10:11:49 -->

<!-- Directive 1 (base-uri) + rule 6 URI ('self' 'unsafe-inline' 'unsafe-eval') -->

<!-- Directive 1 (base-uri) + rule 16 URI ('self') -->

<!-- Directive 4 (default-src) + rule 17 URI ('self' 'unsafe-inline' 'unsafe-eval') -->

<!-- Directive 3 (connect-src) + rule 9 URI ('self') -->

<!-- Directive 5 (font-src) + rule 10 URI ('self') -->

<!-- Directive 9 (img-src) + rule 15 URI ('self') -->

<!-- Directive 10 (manifest-src) + rule 11 URI ('self') -->

<!-- Directive 11 (media-src) + rule 12 URI ('self') -->

<!-- Directive 12 (object-src) + rule 13 URI ('self') -->

<!-- Directive 18 (script-src) + rule 14 URI ('self' 'unsafe-inline' 'unsafe-eval') -->

<!-- meta http-equiv="Content-Type" content="text/html; charset=UTF-8" -->

<!-- meta http-equiv="X-XSS-Protection" content="1; mode=block" -->

<!-- meta http-equiv="X-XSS-X-Content-Type-Options" content="nosniff" -->

<!-- meta http-equiv="Strict-Transport-Security" content="max-age=31536000; includeSubDomains" -->

<!-- End of CSP Headers -->

-------------------------------------

Header File 'cspHeader.inc' Generated:

Content-Type: text/html; charset=UTF-8

X-XSS-Protection: 1; mode=block

X-XSS-X-Content-Type-Options: nosniff

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy-Report-Only: base-uri 'self' 'unsafe-inline' 'unsafe-eval' 'self';default-src 'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self';font-src 'self';img-src 'self';manifest-src 'self';media-src 'self';object-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval'; report-uri https://demo.lcmsplus.com/lcms/csp.php

Violation Report

This allows the System Administrator to filter through CSP violations reported by browsers to the server. The report is compiled by capturing standard data through each browser's own reporting mechanism.

Previous Article Codes
Next Article Analytics