The Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), by providing policy directives to compliant browsers. This feature is enabled by default. You can reconfigure the policy directives by adding entries to locked.properties.

Table 1. CSP Properties

Property

Value Type

Master Default

Other Defaults

enableCSP

true

false

true

n/a

content-security-policy

directives-list

default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';font-src 'self' data:

portal=child-src 'self' blob:;default-src 'self';connect-src 'self' wss:;font-src 'self' data:;img-src 'self' data: blob:;media-src 'self' blob:;object-src 'self' blob:;script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';frame-ancestors 'self'

x-frame-options

OFF

specification

deny

portal=sameorigin

x-content-type-options

OFF

specification

nosniff

n/a

x-xss-protection

OFF

specification

1; mode=block

n/a

You can add CSP properties to the locked.properties file. Example CSP properties:

enableCSP = true
content-security-policy = default-src 'self';script-src 'self' data:
content-security-policy-portal = default-src 'self';frame-ancestors 'self'
x-frame-options = deny
x-frame-options-portal = sameorigin
x-xss-protection = 1; mode=block