Skip to content

Commit 3d4640d

Browse files
alansemenovalansemenov
committed
Description of app-admin-home's config is missing CSP customisation #538 
1 parent cefd53c commit 3d4640d

File tree

1 file changed

+19
-7
lines changed

1 file changed

+19
-7
lines changed

docs/deployment/config.adoc

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -441,7 +441,7 @@ It also requires granting certain permissions. You can find more information in
441441

442442
`XP_HOME/config/com.enonic.xp.admin.cfg`
443443

444-
General setting for /admin
444+
General settings for /admin.
445445

446446
.Disable Content Security Policy for site preview
447447
[source,properties]
@@ -460,20 +460,32 @@ site.preview.contentSecurityPolicy:: Defines default value for Content-Security-
460460
Default: `default-src 'self'; base-uri 'self'; form-action 'self'; script-src 'self'; object-src 'none'; img-src * data:; style-src * 'unsafe-inline'; font-src * data:`
461461

462462

463-
=== Home app
463+
=== XP Dashboard
464464

465465
`XP_HOME/config/com.enonic.xp.app.main.cfg`
466466

467-
.Disable welcome tour
467+
==== Content Security Policy
468+
469+
IMPORTANT: Disabling or changing built-in Content Security Policy is generally NOT RECOMMENDED. You may need to tweak
470+
CSP settings _only_ if you are building a Dashboard widget where you want to allow references to external resources
471+
(for example, a YouTube video) or other potentially unsafe (from the CSP point of view) actions.
472+
473+
You can provide your own header for Content Security Policy using `contentSecurityPolicy.header` property.
474+
Note, that if you provide your own header, you should include all necessary directives, as the default headers (`self`) will not be added.
475+
476+
.Customized Content Security Policy for XP Dashboard
468477
[source,properties]
469478
----
470-
# Disable the "Welcome tour". Default: false
471-
tourDisabled = true
479+
contentSecurityPolicy.header=default-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://*.youtube.com
472480
----
473481

474-
tourDisabled:: Specify if welcome tour should be enabled or not.
475-
Default: `false`
482+
To completely turn off Content Security Policy for the Dashboard, set `contentSecurityPolicy.enabled` property to `false`.
476483

484+
.Disabled Content Security Policy for XP Dashboard
485+
[source,properties]
486+
----
487+
contentSecurityPolicy.enabled=false
488+
----
477489

478490
=== Applications app
479491

0 commit comments

Comments
 (0)