You are here: Reference > Rule types > Content Security Policies > Policy Definition tab on the Content Security Policies form

Policy Definition tab on the Content Security Policies form

Set the policy directives for each category displayed. Click the title of a category to display or hide its fields.

Base-URI

The Base-URI directive governs the document base URL. Most websites use a relative link system, which informs a web browser where a resource is relative to its location. A browser uses the document's base Uniform Resource Identifier (URI) and the relative link to create a full path to that resource. An attacker who controls the base URI can force the user's browsers to pull potentially malicious content from the attacker's site.

Connect-Source

The Connect-Src directive restricts the URLs that the protected resource can load. This restriction includes, but is not limited to, EventSource, WebSocket, and XMLHttpRequest (the driving source behind AJAX) connections. Limiting the XMLHttpRequest connection sources can protect users from attacks where an attacker forces a user's browser to make connections without alerting the user. Use this directive if your application’s users make cross-origin requests as part of a Cross-Origin Resource Sharing (CORS) system.

Pegasystems recommends adding specific websites for cross-origin requests to the Allowed Websites list. Avoid using Allow-All.

Font-Source

The Font-Src directive controls the locations from which fonts can be loaded. An attacker can exploit a number of vulnerabilities that target the browser's font generation. Such an attack could compromise a user's browser.

Pegasystems recommends adding specific websites for cross-origin requests to the Allowed Websites list. Avoid using Allow-All.

Form Actions

The Form-Actions directive governs the URLs that can be used as an action of the HTML <form> element. An attacker who gains access to this directive could compromise a user’s data and submit potentially confidential information to the attacker's website.

Pegasystems recommends adding specific websites to the Allowed Form Actions list. Avoid using Allow-All.

Frame-Ancestors

The Frame-Ancestors directive restricts access from websites that can embed your application by using a <frame>, <iframe>, <object>, <embed>, or <applet> element. An attacker can embed your application in a malicious site, and log each keystroke and mouse click made by users who visit the site to use your application.

Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.

Child frame-Source

The Child-Src directive manages the content sources that your application can include in <frame> and <iframe> elements. An attacker can control the frame source and make it pull malicious data, including cross-site scripting attacks, into your application user's browser. Avoid using Allow-All.

Image-Source

The Img-Src directive controls the sources from which your application can load images. Attackers can use the HTML <img> tag to extract confidential information through a cross-site scripting attack, and make an image request to their own malicious site to request a non-existent image and append the page content. The attacker can then view the malicious site's logs to read your page's content.

Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.

Media-Source

The Media-Src directive manages sources from which your application can download media such as videos and audio files. An attacker can compromise a page to load a malicious object that can compromise a user's computer.

Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.

Object-Source

The Object-Src directive manages sources from which your application can download objects using the <object>, <embed>, and <applet> elements. Such objects include Flash files, Java applets, scripts in other languages, and generic text documents. Flash files and Java applets can run any kind of code; if an attacker can compromise a page to load a malicious object, the user's computer could be compromised.

Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.

Plugin Types

The Plugin-Types directive contains a list of allowed resource types that can be retrieved and used to instantiate plug-ins. This directive in conjunction with other directives, particularly the Object-Src directive, can ensure that all the content that is loaded by the plug-in is the correct content. An attacker is able to upload malicious content, such as a Java applet, to a source that is defined in Object-Src.

Pegasystems recommends that you add allowed plug-in types to the list, as described above, or leave the list blank and use other directives carefully to ensure that the user's computer is not compromised.

Sandbox

The sandbox directive specifies an HTML sandbox policy that the user applies to the protected resource. If these settings are too permissive, an attacker can load a malicious site through a frame.

Pegasystems recommends that you leave all options here unselected. Only select individual options if they are absolutely required for your application.

Script-Source

The Script-Src directive restricts the scripts that the protected resource can run, protecting users against script injection attacks (for example, XSS).

Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.

See the W3C documentation for specifying ‘unsafe-inline’ and ‘unsafe-eval’.

Style-Source

The Style-Src directive governs the sources of styles (stylesheets) that can be used. Attackers can use the <style> tag to describe CSS stylesheet content or external sources of stylesheets. A stylesheet loaded from a malicious site might make your application unusable by overriding content with images, odd colors, decreasing opacity, or by entirely removing your content.

Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.

See the W3C documentation for specifying ‘unsafe-inline’ and ‘unsafe-eval’.

The following task is supported on this tab: