Content Security Directives

In the area of security, an additional function has been implemented in WebOffice 10.9. Here, content security directives can be defined. These directives are based on a recommendation of the Open Web Application Security Project (OWASP) and are specific for WebOffice. If necessary, individual directives can be overwritten.

 

icon_cross-reference

More details about this topic on https://content-security-policy.com

 

Content Security Directives

Content Security Directives

 

When configuring a node (without specifying individual directives), the following directives are applied:

 

Direktive-Type

Direktive-Value

Description

default

none

script-src

'self unsafe-inline unsafe-eval'

Defines valid sources of JavaScript.

worker-src

'self blob:

Restricts the URLs which may be loaded as a Worker, SharedWorker or ServiceWorker.

style-src

'self unsafe-inline'

Defines valid sources of stylesheets or CSS.

object-src

'self

Defines valid sources of plugins, eg <object>, <embed> or <applet>.

img-src

'self data:

Defines valid sources of images.

form-action

'self

Defines valid sources that can be used as an HTML <form> action.

media-src

'self

Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements.

font-src

'self

Defines valid sources of font resources (loaded via @font-face).

connect-src

'self

Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed the browser emulates a 400 HTTP status code.

frame-src

'self

Defines valid sources for loading frames. In CSP Level 2 frame-src was deprecated in favor of the child-src directive. CSP Level 3, has undeprecated frame-src and it will continue to defer to child-src if not present.

 

 

A detailed description of the individual directive types and the corresponding directive values is shown in https://content-security-policy.com. In this chapter only those directives are described that have a connection to WebOffice. In the following scenarios individual directives are adapted individually and in addition to that their effects in WebOffice are shown.

 

First, the individual directives have to be created in the node Content Security Directives.

 

 

Individual configuration of the Directives

Individual configuration of the Directives

 

The project cannot be opened with the following setting.

 

 

connect-src Directive 

connect-src Directive

 

Project cannot initialise

Project cannot initialise

 

If the type frame-src is given the value *, all pop-ups or iFrames are blocked.

 

Pop-ups or iFrames cannot be opened

Pop-ups or iFrames cannot be opened

 

Adjusting the type img-src with the value * results in tool icons as well as the map itself not being displayed.

 

Missing map display

Missing map display

 

When adapting the type script-src with the value *, a project start is prevented.

Project start is not possible

Project start is not possible

 

 

Adjusting the type style-src with the value * leads to an incorrect display in WebOffice. The table of content and the project center are not displayed correctly.

 

Representation of the topic tree after adaptation of the directive

Representation of the topic tree after adaptation of the directive