[DOCU-1625] Document how to enable Content Security Policy (CSP) support in Magnolia Created: 13/Jul/18 Updated: 06/Sep/19 |
|
| Status: | Open |
| Project: | Documentation |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Minor |
| Reporter: | Mikaël Geljić | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | csp, suggestion | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Date of First Response: | |
| Epic Link: | Pre-2019 mgnl-staff requests |
| Description |
|
The Cloud team has brought up the topic of Content Security Policy (CSP) to the architecture group. See:
In particular, CSP can be enabled either A. through HTTP headers on the response, or B. through meta tags in the page. We generally think this is a project decision—that we don't need any default or preconfiguration in Magnolia Core—but were discussing how to address if a prospect is interested in, or enquires about it (what do we do for similar cases generally, e.g. CORS?) A small "how-to" page describing the no-brainer filter configuration (see the AddHeadersFilter snippet), or how to add the meta tag to the site prototype could be considered. We don't need/want to re-explain what CSP is, the mozilla site is pretty good about it, and if users search for it, there's a good chance they read about it before. And most of all, this is just a suggestion really, this should not generate too much work load. Feel free to:
|
| Comments |
| Comment by Julie Legendre [ 23/Aug/18 ] |
|
See mdrapela's comment on https://documentation.magnolia-cms.com/display/DOCS57/Magnolia+Cloud+update+-+July+2018 |
| Comment by Martin Drápela [ 28/Aug/18 ] |
|
A follow-up discussion on this in the Krom office concluded that our default CSP config in brings more problems (nested permissions) rather than benefits and that ideally - ootb - the config CSP header filter should be enabled: false.
|