Deployment Manual / 4.5.6 Content Security Policy Configuration

Advanced Search

Deployment Manual / Version 2107

Table Of Contents

4.5.6 Content Security Policy Configuration

The following list contains configuration properties related to Content Security Policy (CSP) in the Studio.

`studio.security.csp.connect-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'connect-src' policy directive. Defaults to 'self'.
`studio.security.csp.csp-mode`
Type	com.coremedia.rest.security.util.CSPMode
Default
Description	Level of Content Security Policy protection (CSP). For further details about CSP and the default policy settings please refer to the Studio Developer Manual. Allowed values are: ENFORCE - Enable CSP protection. This is the default. ENFORCE_ALLOW_DISABLE - Enable CSP protection unless the 'disableCsp' query parameter is 'true'. REPORT - Enable CSP report only mode without enforcing CSP protection. DISABLE - Disable CSP protection and reporting.
`studio.security.csp.font-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'font-src' policy directive. Defaults to 'self'.
`studio.security.csp.frame-ancestors`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'frame-ancestors' policy directive. Defaults to 'self'. @deprecated Configuring this setting does not have an effect anymore. Please configure this directive in deployment.
`studio.security.csp.frame-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'frame-src' policy directive. The hierarchy of default values for this directive is as follows studio.previewUrlWhitelist values if specified schema and authority of studio.previewUrlPrefix if specified 'self' To allow YouTube videos inside the external preview, add the Youtube URL: studio.security.csp.frameSrc=http://localhost:40980,.coremedia.vm:40980, .coremedia.vm,.coremedia.com,.coremedia.com:8000,*.coremedia.vm:8000, 'self',www.youtube.com
`studio.security.csp.img-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'img-src' policy directive. Defaults to 'self'.
`studio.security.csp.manifest-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'manifest-src' policy directive. Defaults to 'self'.
`studio.security.csp.media-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'media-src' policy directive. Defaults to 'self'.
`studio.security.csp.object-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'object-src' policy directive. Defaults to 'self'.
`studio.security.csp.report-uri`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'report-uri' policy directive. If no custom list is provided the directive is not included.
`studio.security.csp.script-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'script-src' policy directive. Defaults to 'self','unsafe-eval'.
`studio.security.csp.style-src`
Type	java.util.List<java.lang.String>
Default
Description	List of values for the 'style-src' policy directive. Defaults to 'self','unsafe-inline'.

Table 4.28. Content Security Policy Related Studio Properties

Search Results

Table Of Contents