Content Security Policy: Allow multiple domains

Hi ,


I like to implement security for allowed URL redirection. In my application other than self I like to allow only two more domains for ex: www.w3schools.com and www.google.com

Base-URI have set values to:

self

www.w3schools.com

www.google.com


yet if I redirect to someother URI the system is allowing it to navigate.

How to implement selected Domains other than self in content security policy.


Thank you,

Ramya S

Hi Ramya,

What has worked for me was prepending 'https://' to the domains. 

Also, I noticed that applying the settings in LifeTime did not immediately change the Content Security Policy. Only after republishing the module the settings were applied.

See if this works for you.

Regards,

Nordin

Nordin Ahdi wrote:

Hi Ramya,

What has worked for me was prepending 'https://' to the domains. 

Also, I noticed that applying the settings in LifeTime did not immediately change the Content Security Policy. Only after republishing the module the settings were applied.

See if this works for you.

Regards,

Nordin


Hi Nordin,

Thank you for the details.

I have had published with https domain.

Have attached the file. Can you please look into it and confirm is it the right way of doing?


Thanks and Regards,

Ramya S

Solution

Hi Ramya,

Now that I have read your first post more carefully and understand your goal, I don't think you can disallow redirects to other domains with Content Security Policy. You can read more about it here.

Furthermore, best way to test your application with new CSP directives, is to run the application in your browser open your Browser Dev Tools (console) in order to check if a policy is violated. 

CSP violations are also logged in the Error log in Service Center. Just set the Module filter to 'CSPReport' in order to do so.

Regards,

Nordin

Solution

Nordin Ahdi wrote:

Hi Ramya,

Now that I have read your first post more carefully and understand your goal, I don't think you can disallow redirects to other domains with Content Security Policy. You can read more about it here.

Furthermore, best way to test your application with new CSP directives, is to run the application in your browser open your Browser Dev Tools (console) in order to check if a policy is violated. 

CSP violations are also logged in the Error log in Service Center. Just set the Module filter to 'CSPReport' in order to do so.

Regards,

Nordin

Thank you, Nordin.