Content-Security-Policy and Administration Application
Content Security Policy (CSP) is a W3C recommendation for specifying restrictions on how browsers should handle potentially dangerous components in an HTTP response entity. As of this writing, 2 levels of the recommendation are available.
- CSP Level 2 (recommendation 2016-12-15)
- CSP Level 3 (working draft; many features implemented in modern browsers)
By default, TD includes the following Content-Security-Policy HTTP header on all administration application pages.
default-src 'self’; script-src ‘self’ 'unsafe-inline' 'unsafe-eval'; style-src ‘self’ ‘unsafe-inline’;image-src ‘self’ data:;
The admin application will function as expected in browsers that implement these CSP directives.
If your site requires a different policy, contact Oberon Support to discuss your requirements. The following stricter policies can be implemented on request, but will impose restrictions on certain aspects of the application.
For sites that do not allow script-src 'unsafe-inline' 'unsafe-eval', the TD
administration application will function normally except the assembly editor will
be disabled if
the following policy is in
effect.
default-src 'self’; script-src ‘self’; style-src ‘self’ ‘unsafe-inline’;image-src ‘self’ data:;A future version of TD will lift this limitation with respect to the assembly editor.
For sites that do not allow style-src 'unsafe-inline', the TD administration
application will function normally except content item preview may be degraded (due
to the use of
inline @style attributes in the preview HTML). It may be possible to remedy these
defects by providing a doctype preview.xsl stylesheet that eliminates the
use of inline styles. (See "Custom Preview Stylesheets" in the Titania Delivery Developer's
Guide.) Then the following policy could be
added.
default-src 'self’; script-src ‘self’; style-src ‘self’;image-src ‘self’ data:;