[DOCU-1625] Document how to enable Content Security Policy (CSP) support in Magnolia Created: 13/Jul/18  Updated: 06/Sep/19

Status: Open
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Mikaël Geljić Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: csp, suggestion
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Date of First Response:
Epic Link: Pre-2019 mgnl-staff requests

 Description   

The Cloud team has brought up the topic of Content Security Policy (CSP) to the architecture group.

See:

In particular, CSP can be enabled either A. through HTTP headers on the response, or B. through meta tags in the page.

We generally think this is a project decision—that we don't need any default or preconfiguration in Magnolia Core—but were discussing how to address if a prospect is interested in, or enquires about it (what do we do for similar cases generally, e.g. CORS?)

A small "how-to" page describing the no-brainer filter configuration (see the AddHeadersFilter snippet), or how to add the meta tag to the site prototype could be considered. We don't need/want to re-explain what CSP is, the mozilla site is pretty good about it, and if users search for it, there's a good chance they read about it before.

And most of all, this is just a suggestion really, this should not generate too much work load. Feel free to:

  • (de)prioritize
  • tell me if this doesn't belong in docu
  • bring up to PM
  • and/or close as appropriate, whatever makes more sense really 

 



 Comments   
Comment by Julie Legendre [ 23/Aug/18 ]

See mdrapela's comment on https://documentation.magnolia-cms.com/display/DOCS57/Magnolia+Cloud+update+-+July+2018

Comment by Martin Drápela [ 28/Aug/18 ]

A follow-up discussion on this in the Krom office concluded that our default CSP config in 

https://git.magnolia-cms.com/projects/OD/repos/cloud-modules/browse/magnolia-now-configuration/src/main/resources/mgnl-bootstrap/magnolia-now-configuration/config.server.filters.cspHeader.xml

brings more problems (nested permissions) rather than benefits and that ideally - ootb - the config CSP header filter should be

enabled: false.

 

Generated at Mon Feb 12 01:19:48 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.