openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
66af9136742711a98915143bb1f7201c4a388651
openshift-docs/modules/csp-overview.adoc

36 lines
2.0 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * web_console/dynamic-plugin/content-security-policy.adoc
:_mod-docs-content-type: CONCEPT
[id="content-security-policy-overview_{context}"]
= Content Security Policy (CSP) overview
A Content Security Policy (CSP) is delivered to the browser in the `Content-Security-Policy-Report-Only` response header. The policy is specified as a series of directives and values. Each directive type serves a different purpose, and each directive can have a list of values representing allowed sources.
[id="content-security-policy-key-features_{context}"]
== Key features of `contentSecurityPolicy`
=== Directive Types
The supported directive types include `DefaultSrc`, `ScriptSrc`, `StyleSrc`, `ImgSrc`, and `FontSrc`. These directives allow you to specify valid sources for loading different types of content for your plugin. Each directive type serves a different purpose. For example, `ScriptSrc` defines valid JavaScript sources, while `ImgSrc` controls where images can be loaded from.
//backporting the ConnectSrc directive, but that is tbd - openshift/console#14701 and https://github.com/openshift/api/pull/2164
=== Values
Each directive can have a list of values representing allowed sources. For example, `ScriptSrc` can specify multiple external scripts. These values are restricted to 1024 characters and cannot include whitespace, commas, or semicolons. Additionally, single-quoted strings and wildcard characters (`*`) are disallowed.
=== Unified Policy
The {product-title} web console aggregates the CSP directives across all enabled `ConsolePlugin` custom resources (CRs) and merges them with its own default policy. The combined policy is then applied with the `Content-Security-Policy-Report-Only` HTTP response header.
=== Validation Rules
* Each directive can have up to 16 unique values.
* The total size of all values across directives must not exceed 8192 bytes (8KB).
* Each value must be unique, and additional validation rules are in place to ensure no quotes, spaces, commas, or wildcard symbols are used.
View Git Blame Copy Permalink