Content-Security-Policy and Portal Pages
Content Security Policy (CSP) is a W3C recommendation for specifying restrictions on how browsers should handle potentially dangerous components in an HTTP response entity. As of this writing, 2 levels of the recommendation are available.
- CSP Level 2 (recommendation 2016-12-15)
- CSP Level 3 (working draft; many features implemented in modern browsers)
By default, the TD platform does not include any Content-Security-Policy HTTP headers on portal pages. If your corporate security guidelines require CSP directives on your TD portal pages, here are some options.
Adding CSP header to portal pages
The portal theme provides the ability to add <meta> tags to the <head> element of any HTML page generated by the portal. One way to deliver CSP headers to the browser is by adding a <meta> tag like:
<meta http-equiv="Content-Security-Policy" value="{your-csp-here}"></meta>
Replace {your-csp-here} with the actual policy desired.
http-equiv
<meta> tags may be superseded by HTTP CSP headers added to the
response.If all portal pages on a site should be subject to the same CSP, contact Oberon Support to add the desired CSP to the site settings. This policy will be delivered as the Content-Security-Policy HTTP header on all portal pages.
Generating CSP-compliant portal pages
The portal theme developer is responsible for ensuring that all pages generated in the portal comply with the effective CSP.
When a Content-Security-Policy is in effect for a web page, disallowed components
in the page
will be disabled. This could affect the appearance, behavior, and usability of the
web page.
Disallowed unsafe-inline and unsafe-eval script and style
sources are a common cause of problems. Many TD portal themes now in use violate these
policies
(including the built-in and provided themes, as well as custom themes derived from
them).
Before implementing strict CSP on portal pages, review and test the portal theme to
find and
remove components that would violate the intended CSP. For example, if the CSP includes
script-src 'self';, then <script> elements and script
attributes will be disabled. Any part of the theme that generates these elements
and attributes
must be modified.
Any theme that relies on TD XSLT modules for transforming XML to HTML could generate
inline
style elements and attributes in a portal page. These will be disallowed by CSP unless
the
policy includes style-src 'self' 'unsafe-inline';. The impact on portal page
display will range from minor to severe. In cases where style unsafe-inline is
not allowed, significant changes may be required to over-ride the built-in XSLT stylesheets
to
eliminate inline styles.