Content Security Policy (CSP) is a security mechanism that helps prevent Cross-Site Scripting (XSS) and data injection attacks. While using strict CSP settings is generally recommended for websites, Gantry 5 requires certain CSP directives to function properly in the administrator area.
Gantry 5 administration requires the following CSP directives:
script-src 'self' 'unsafe-eval';
The unsafe-eval directive is specifically needed for:
- Cache clearing operations
- Editing functionality
- JSON parsing and handling
- Various admin UI interactions
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
-
Split CSP Policies:
- Use a stricter policy for your frontend website
- Use a more permissive policy with
unsafe-evalfor the admin area only
-
Security Balance:
- Consider keeping
unsafe-evalonly in the administrator sections of your site - Use stricter CSP settings for all public-facing pages
- Consider keeping
Gantry 5 uses JavaScript bundling tools like Browserify which rely on eval() or new Function() constructs for certain operations. Additionally, the dynamic nature of the admin interface requires runtime code evaluation in some cases.
These requirements may change in future versions as we continue to improve Gantry's CSP compatibility.