Content Security Policy (CSP) headers
Unblu comes with three predefined sets of directives for the Content Security Policy (CSP) HTTP response header of its various interfaces.
Activating Unblu CSP directives
By default, the Unblu CSP response headers are turned off. To use the Unblu CSP headers, set com.unblu.contentsecuritypolicy.mode to ON.
Activating CSP improves the security of Unblu by limiting access to resources that comply with the policies you specify. However, sometimes a policy may have unintended side-effects. It may block access to resources that are, in fact, required for your application to function correctly.
If you would first like to see whether activating the Unblu CSP headers results in problems, set com.unblu.contentsecuritypolicy.mode to REPORT_ONLY. Unblu then sends Content-Security-Policy-Report-Only headers rather than Content-Security-Policy headers. Violations of the CSP directives are displayed in the console of your browser’s developer tools, but the resource is still loaded. This way, you can verify that all the content security policy directives you have specified won’t block access to required resources.
The sets of CSP directives Unblu provides are:
-
A set of directives for the Agent Desk, Visitor Desk, and Single Conversation Desk:
Listing 1. Contents of the CSP response header for the Agent Desk, Visitor Desk, and Single Conversation DeskContent-Security-Policy: style-src 'unsafe-inline' 'self'; default-src 'none'; connect-src blob: wss: 'self' *.opentok.com *.tokbox.com wss://*.tokbox.com ws:; img-src 'self' data:; media-src 'self'; font-src 'self' data:; script-src 'unsafe-inline' 'self' *.opentok.com *.tokbox.com wss://*.tokbox.com 'unsafe-eval'; frame-src 'self' blob:If you use Unblu’s audio and video call features, the CSP response header also includes the domains of the call service provider configured in com.unblu.conversation.call.callServiceProvider.
-
A set of directives for the Account Configuration interface, Global Server Configuration interface and SDK:
Listing 2. Contents of the CSP response header for the configuration interfaces and mobile SDKsContent-Security-Policy: style-src 'unsafe-inline' 'self'; default-src 'none'; connect-src 'self'; img-src 'self' data:; media-src 'self'; font-src 'self' data:; script-src 'unsafe-inline' 'self' 'unsafe-eval'; frame-src 'none' -
A set of directives for the content of a visitor’s browser displayed to an agent in the Agent Desk during an embedded co-browsing session:
Listing 3. Contents of the CSP response header for embedded contentContent-Security-Policy: style-src 'unsafe-inline' 'self' *; default-src 'none'; img-src 'self' * data:; media-src 'self' *; font-src 'self' * data:; script-src 'unsafe-inline'; frame-src 'self' blob:
Modifying CSP header directives
The directives for embedded content include the * wildcard for CSS, fonts, images, and media. This is the default value of the setting com.unblu.contentsecuritypolicy.allowedDomainsForUiResources. If you wish to make the directive more restrictive, simply change the value of this setting accordingly. For example, if static resources for your public website are retrieved from imgs.static.company.com and resources.company.com, you can make the CSP directive more restrictive by one of the following means:
-
Add
*.company.comto com.unblu.contentsecuritypolicy.allowedDomainsForUiResources. -
Add both
imgs.static.company.comandresources.company.comto com.unblu.contentsecuritypolicy.allowedDomainsForUiResources.
You can remove the directives granting access to the domains of the call service providers you don’t use. For example, if Vonage isn’t your call service provider, remove opentok.com and tokbox.com from the set of directives for the Agent Desk. Delete all values of the setting com.unblu.contentsecuritypolicy.tokboxDomains in the Global Server Configuration interface. This must be done by a user with the superadministrator privileges.
Limitations
The Unblu CSP headers are always delivered as HTTP response headers. It isn’t possible to include them in a meta tag.