openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
2ca0fddfdb4cf087bd4fdc08c4e79210d6e335f3
openshift-docs/modules/csp-overview.adoc
EricPonvelle d75f887c54 OSDOCS-16567: Updated Web Console for DITA migration
2025-12-23 21:00:36 +00:00

29 lines
2.2 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * web_console/dynamic-plugin/content-security-policy.adoc
:_mod-docs-content-type: CONCEPT
[id="content-security-policy-overview_{context}"]
= Key features of Content Security Policy (CSP)
[role="_abstract"]
A Content Security Policy (CSP) is delivered to the browser in the `Content-Security-Policy-Report-Only` response header. The policy is specified as a series of directives and values. Each directive type serves a different purpose, and each directive can have a list of values representing allowed sources.
[id="content-security-policy-directive-types_{context}"]
== Directive Types
The supported directive types include `DefaultSrc`, `ScriptSrc`, `StyleSrc`, `ImgSrc`, and `FontSrc`. These directives allow you to specify valid sources for loading different types of content for your plugin. Each directive type serves a different purpose. For example, `ScriptSrc` defines valid JavaScript sources, while `ImgSrc` controls where images can be loaded from.
//backporting the ConnectSrc directive, but that is tbd - openshift/console#14701 and https://github.com/openshift/api/pull/2164
[id="content-security-policy-values_{context}"]
== Values
Each directive can have a list of values representing allowed sources. For example, `ScriptSrc` can specify multiple external scripts. These values are restricted to 1024 characters and cannot include whitespace, commas, or semicolons. Additionally, single-quoted strings and wildcard characters (`*`) are disallowed.
[id="content-security-policy-unified-policy_{context}"]
== Unified Policy
The {product-title} web console aggregates the CSP directives across all enabled `ConsolePlugin` custom resources (CRs) and merges them with its own default policy. The combined policy is then applied with the `Content-Security-Policy-Report-Only` HTTP response header.
[id="content-security-policy-validation-rules_{context}"]
== Validation Rules
* Each directive can have up to 16 unique values.
* The total size of all values across directives must not exceed 8192 bytes (8KB).
* Each value must be unique, and additional validation rules are in place to ensure no quotes, spaces, commas, or wildcard symbols are used.
View Git Blame Copy Permalink