A Content Security Policy (CSP) is a security standard that provides websites an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks, and is implemented via the Content-Security-Policy HTTP security header.
The product engineering team released an enhancement to allow us the customization of the CSP header for CivicEngage Evolve websites. We have already defined in the CSP all the minimum required resources that must be allowed for the Evolve application to function, and can now further modify the CSP header for each website to add additional resources to the following directives:
You can see the current CSP implemented for your site using the CSP Evaluator provided by Google. Simply input your website URL and click Check CSP.
You must contact Support to make any changes to your CSP.
What To Submit to CivicPlus
For each directive you would like to customize, provide us with a list of domains that should be trusted along with the protocols that should be allowed--http & https or https only (recommended)--i.e. https://google.com. There are specific directives we can put these domains into but most directives will use the default-src domains if nothing is specifically defined there. One exception to this is the frame-ancestors directive, which specifies which other sites are allowed to iframe any part of your site into their content. The frame-ancestors directive must be defined specifically, as it does not inherit resource allowances from the default-src directive.
Define the following directives, at a minimum, when customizing your CSP:
- default-src: what domains should be trusted in general for any "fetch" directives. Please read this Content Security Policy Cheat Sheet for more information on fetch directives.
- frame-ancestors: which URLs can embed any part of your site as an iframe. This is not a 'fetch' directive so it needs to be defined separately from the default-src domains to allow this. This directive is used instead of the X-frame-Options header and provides for clickjacking protection for your website.
Other directives that can be specifically defined, when customizing your CSP:
- style-src: Where should we allow styles to be loaded from, i.e. fonts.googleapis.com has already been added. If you are loading styles from anywhere else besides the ones we normally use you can add those resources here.
- script-src: Where can scripts be loaded from onto your site, i.e. https://www.google-analytics.com for google analytics has already been added. If you have added any custom HTML widgets, you will want to note what resources are being used for those, i.e. do you use MailChimp scripts anywhere
- form-action: Where forms can be submitted to. Currently set to only the site (self).
A: This is correct.
Q: The script_src directive has 'unsafe-eval' specified. Is this also required due to functionality we're currently using on the site?
A: This is also correct.
A: We do not have in mind to remove these in the future. They are part of the system for several places where we offer functionality and flexibility on the system, including performance.