close

Filter

loading table of contents...

Deployment Manual / Version 2010

Table Of Contents

4.5.3 Content Security Policy Configuration

The following list contains configuration properties related to Content Security Policy (CSP) in the Studio.

studio.security.csp.connect-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'connect-src' policy directive. Defaults to 'self'.

studio.security.csp.csp-mode
Type com.coremedia.rest.security.util.CSPMode
Default  
Description

Level of Content Security Policy protection (CSP). For further details about CSP and the default policy settings please refer to the Studio Developer Manual. Allowed values are:

  • ENFORCE - Enable CSP protection. This is the default.

  • ENFORCE_ALLOW_DISABLE - Enable CSP protection unless the 'disableCsp' query parameter is 'true'.

  • REPORT - Enable CSP report only mode without enforcing CSP protection.

  • DISABLE - Disable CSP protection and reporting.

studio.security.csp.font-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'font-src' policy directive. Defaults to 'self'.

studio.security.csp.frame-ancestors
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'frame-ancestors' policy directive. Defaults to 'self'. @deprecated Configuring this setting does not have an effect anymore. Please configure this directive in deployment.

studio.security.csp.frame-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'frame-src' policy directive. The hierarchy of default values for this directive is as follows

  1. studio.previewUrlWhitelist values if specified

  2. schema and authority of studio.previewUrlPrefix if specified

  3. 'self'

To allow YouTube videos inside the external preview, add the Youtube URL: studio.security.csp.frameSrc=http://localhost:40980,*.coremedia.vm:40980, *.coremedia.vm,*.coremedia.com,*.coremedia.com:8000,*.coremedia.vm:8000, 'self',www.youtube.com

studio.security.csp.img-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'img-src' policy directive. Defaults to 'self'.

studio.security.csp.manifest-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'manifest-src' policy directive. Defaults to 'self'.

studio.security.csp.media-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'media-src' policy directive. Defaults to 'self'.

studio.security.csp.object-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'object-src' policy directive. Defaults to 'self'.

studio.security.csp.report-uri
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'report-uri' policy directive. If no custom list is provided the directive is not included.

studio.security.csp.script-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'script-src' policy directive. Defaults to 'self','unsafe-eval'.

studio.security.csp.style-src
Type java.util.List<java.lang.String>
Default  
Description

List of values for the 'style-src' policy directive. Defaults to 'self','unsafe-inline'.

Table 4.21. Content Security Policy Related Studio Properties


Search Results

Table Of Contents