System Settings – CSP

Overview

Displays configuration options for the Content Security Policy-based restrictions. Allows system administrators to restrict behavior defined at the app level, contributing to improved security.

Capture

Notes

• Content Security Policy (CSP) restrictions can be enabled and an allow list can be set
• Markdown/HTML/JavaScript written in the [Description] field of Data Items are the subjects
• System administrators can restrict app-defined behavior, improving security
• This is a platform-wide common setting; it cannot be configured on a per-app basis
• You can view a Content Security Policy (CSP) violation report
  • [CSP report] records a list of external site accesses that exclude access to hosts allowed by CSP settings
  • The report is recorded regardless of whether CSP restrictions are enabled or disabled
    • Enabled: Access is blocked and recorded in the report
    • Disabled: No blocking occurs, only recorded in the report
    • The Disposition field in the report CSV identifies whether the restriction was enabled or disabled
  • It is not guaranteed that all accesses will be recorded
    • If there are many accesses in a short period of time, some accesses will not be recorded
• For newly created workflow platforms, CSP restrictions are enabled by default
  • On workflow platforms newly built from Version 17.2 onward, loading scripts from external sites and making AJAX requests to external destinations are disabled by default
  • For existing workflow platforms upgraded from Version 17.1 to 17.2, CSP restrictions remain disabled (Existing behavior is unchanged unless CSP is explicitly enabled)

See also