mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
31 lines
1.7 KiB
Plaintext
31 lines
1.7 KiB
Plaintext
:_mod-docs-content-type: ASSEMBLY
|
|
[id="content-security-policy_{context}"]
|
|
= Content Security Policy (CSP)
|
|
|
|
include::_attributes/common-attributes.adoc[]
|
|
include::_attributes/attributes-openshift-dedicated.adoc[]
|
|
:context: content-security-policy
|
|
|
|
toc::[]
|
|
|
|
[role="_abstract"]
|
|
You can specify Content Security Policy (CSP) directives for your dynamic plugin using the `contentSecurityPolicy` field in the `ConsolePluginSpec` file. This field helps mitigate potential security risks by specifying which sources are allowed for fetching content like scripts, styles, images, and fonts. For dynamic plugins that require loading resources from external sources, defining custom CSP rules ensures secure integration into the {product-title} console.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
The console currently uses the `Content-Security-Policy-Report-Only` response header, so the browser will only warn about CSP violations in the web console and enforcement of CSP policies will be limited. CSP violations will be logged in the browser console, but the associated CSP directives will not be enforced. This feature is behind a `feature-gate`, so you will need to manually enable it.
|
|
|
|
ifndef::openshift-rosa-hcp,openshift-rosa[]
|
|
For more information, see xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features-console_nodes-cluster-enabling-features[Enabling feature sets using the web console].
|
|
endif::openshift-rosa-hcp,openshift-rosa[]
|
|
====
|
|
|
|
include::modules/csp-overview.adoc[leveloffset=+1]
|
|
|
|
[role="_additional-resources"]
|
|
[id="content-security-policy_additional-resources"]
|
|
== Additional resources
|
|
|
|
* link:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
|
|
|