Content Security Policies
Completing the Policy Definition tab
|
|
Set the policy directives for each category displayed. Click the title of a category to display or hide its fields.
In many sections you have the option of allowing access to the website (or a behavior such as form-action) from a list of websites. To add a website click the + icon in the appropriate policy section. Enter the website URL and, optionally, a note to explain why this site should have access.
The Connect-Source directive manages outbound connections from a user's browser. This includes, but is not limited to, EventSource, WebSocket, and XMLHttpRequest connections. XMLHttpRequest is the driving force behind AJAXAsynchronous JavaScript and XML (AJAX) is a Web technology that allows browser-based applications to communicate with a server without transmitting the entire HTTP input, and to render only parts of the form rather than the entire form., so limiting its connection sources can protect your users from a wide range of attacks where an attacker forces a user's browser to make connections without alerting the user.
Pega recommends adding specific websites, as described above, if users may make Cross Origin requests as part of a Cross Origin Resource Sharing (CORS) system. Avoid using Allow-All.
The Font-Source directive controls content sources of web page fonts imported using the CSS "at-rule" @font-face. Although it is unlikely for an attacker to create a font file that directly attacks a user, there have been a number of vulnerabilities exploited by attackers that target the browser's font generation. Such an attack could compromise a user's browser.
Pega recommends adding specific websites, as described above, for Cross Origin Resource Sharing (CORS) requests. Avoid using Allow-All.
The Child Frame-Source directive manages the content sources that your application can include in frames. If an attacker can control one of your frame sources, the frame's source could pull malicious data, including Cross Site Scripting attacks, into your user's browser, compromising that user.
Pega recommends adding specific websites to the Allowed Websites list, as described above. Avoid using Allow-All.
The Image-Source directive controls the sources your application can pull images from. Attackers can use the HTML <img> tag to obtain confidential information via a Cross Site Scripting attack, read page content, and make an image request to their own malicious site requesting a non-existent image and appending the page content; the attacker can then view the malicious site's logs to read your page's content.
Pega recommends adding a short list of reliable web sites to the Allowed Websites list, as described above. Avoid using Allow-All.
The Media-Source directive manages sources from which your application can download rich media such as videos and audio files. If an attacker can compromise a page to load a malicious object, the user's computer could be compromised.
Pega recommends adding specific websites to the Allowed Websites list, as described above. Avoid using Allow-All.
The Object-Source directive manages sources from which your application can download plugins. Plugins include Flash files, Java applets, scripts in other languages, and generic text documents. Given the power of Flash files and Java applets to run any kind of code, if an attacker can compromise a page to load a malicious object, the user's computer could be fully compromised.
Pega recommends adding specific websites to the Allowed Websites list, as described above. Avoid using Allow-All.
The Sandbox directive controls the sandboxing capabilities of a frame. Use this directive in conjunction with the Child Frame-Source directive. If your application has a page that loads content via a frame, use the "sandbox" attribute to define certain abilities of the child frame. If these settings are too permissive, and an attacker is able to load a malicious site via a frame, that site’s content could affect a legitimate user.
Pega recommends you leave all options here unselected. Only check individual options if they are absolutely necessary to your application.
The Script-Source directive handles all content relating to the HTML tag to prevent the launch of a Cross Site Scripting attack on your users either by loading content from a malicious source or by directly injecting JavaScript to run on the web page. A guardrail-compliant application should be immune to malicious inline JavaScript, so the primary concern is external content loading.
Pega recommends that you maintain a short list of good web sites by adding sites to the Allowed Websites list, as described above. Avoid using Allow-All.
The Style-Source directive governs all content relating to the HTML tag <style>. Attackers can use the <style> tag to describe CSS stylesheet content or external sources of stylesheets. While not a direct attack vector, a stylesheet loaded from a malicious site may make your application unusable by overriding content with images, odd colors, or decreasing opacity; or by entirely removing your content.
Pega recommends that you maintain a short list of good web sites by adding sites to the Allowed Websites list, as described above. Avoid selecting Allow-All.
Security category
Help Home