When configuring the trusted sources security policy for your Sitefinity CMS website, you can granularly define the Content-Security-Policy HTTP response header for different types of content. The value of the Content-Security-Policy contains one or more directives that define the valid sources for each type of content. The value of each directive can also contain specific keywords which enable you to fine-tune the behavior of the directive by matching or excluding certain conditions – like building a powerful regular expression. These keywords are known as a source list. The table below provides a reference of the supported source list values:
Wildcard, allows any URL except data: blob: filesystem: schemes.
Prevents loading resources from any source.
Allows loading resources from the same origin (same scheme, host and port).
Allows loading resources via the data scheme (for example Base64 encoded images).
Allows loading resources from the specified domain name.
Allows loading resources from any subdomain under example.com.
Allows loading resources only over HTTPS matching the given domain.
Allows loading resources only over HTTPS on any domain.
Allows script or style tag to execute if the nonce attribute value matches the header value. For example:<script nonce="2726c7f26c">alert("hello");</script>
NOTE: Multiple source list values can be space separated except for 'none' which should be the only value.
Below you can find examples on how to configure your Sitefinity CMS Content-Security-Policy HTTP header for some common scenarios:
Allow everything but only from the same origin
Put 'self' in Trusted sources for… -> Any content.
Only Allow Scripts from the same origin
Put 'self' in Trusted sources for… -> Scripts.
Allow Google Analytics, Google AJAX CDN and Same Origin
Put 'self' www.google-analytics.com ajax.googleapis.com
in Configure Trusted sources for… -> Any content.
Projects created with Sitefinity CMS version 11.0 and later come with a pre-configured trusted sources policy. The default values for the Content-Security-Policy HTTP response header include the sources required by Sitefinity CMS to operate normally. You can customize the policy to suit you need. Be aware that removing any of the default sources might result in abnormal behavior of Sitefinity CMS.
Back To Top
Copyright © 2019 Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.