Content Security Policy (CSP) headers
Unblu comes with three predefined sets of directives for the Content Security Policy (CSP) HTTP response header of its various interfaces.
Activating Unblu CSP directives
By default, the Unblu CSP response headers are turned off. To use the Unblu CSP headers, set com.unblu.contentsecuritypolicy.mode to ON
.
Activating CSP improves the security of Unblu by limiting access to resources that comply with the policies you specify. However, sometimes a policy may have unintended side-effects. It may block access to resources that are, in fact, required for your application to function correctly.
If you would first like to see whether activating the Unblu CSP headers results in problems, set com.unblu.contentsecuritypolicy.mode to REPORT_ONLY
. Unblu then sends Content-Security-Policy-Report-Only
headers rather than Content-Security-Policy
headers. Violations of the CSP directives are displayed in the console of your browser’s developer tools, but the resource is still loaded. This way, you can verify that all the content security policy directives you have specified won’t block access to required resources.
The sets of CSP directives Unblu provides are:
-
A set of directives for the Agent Desk, Visitor Desk, and Single Conversation Desk, conversation recording, and the whiteboard collaboration layer:
Listing 1. Contents of the CSP response header for the agent and visitor user interfacesContent-Security-Policy: style-src 'unsafe-inline' 'self'; default-src 'none'; connect-src wss: 'self' ws:; img-src 'self' data:; media-src 'self'; font-src 'self' data:; script-src 'unsafe-inline' 'self'; frame-src 'self' blob:; worker-src 'self' blob:
If you use Unblu’s audio and video call features, the CSP response header also includes the domains of the call service provider that’s configured in com.unblu.conversation.call.callServiceProvider. The domains are added to the
connect-src
andscript-src
fetch directives. -
A set of directives for the Account Configuration interface, Global Server Configuration interface, Agent Desk login page, and mobile SDKs:
Listing 2. Contents of the CSP response header for the configuration interfaces, Agent Desk login page, and mobile SDKsContent-Security-Policy: style-src 'unsafe-inline' 'self'; default-src 'none'; connect-src 'self' wss: ws:; img-src 'self' data:; media-src 'self'; font-src 'self' data:; script-src 'unsafe-inline' 'self'; frame-src 'none'; worker-src 'self' blob:
-
A set of directives for the content of a visitor’s browser displayed to an agent in the Agent Desk during an embedded co-browsing session:
Listing 3. Contents of the CSP response header for embedded contentContent-Security-Policy: style-src 'unsafe-inline' 'self' *; default-src 'none'; img-src 'self' * data:; media-src 'self' *; font-src 'self' * data:; script-src 'unsafe-inline'; frame-src 'self' blob:
-
A set of directives for any error pages Unblu might display:
Listing 4. Contents of the CSP response header for error pagesdefault-src 'none'; media-src 'self'; frame-src 'none'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'
For the error pages that are displayed when a user impersonating another user tries to access a page they aren’t allowed to access, the CSP response header also includes the following fetch directives: +.Cotents of the CSP response header for impersonating user error pages
script-src 'self' 'unsafe-inline'; connect-src 'self'
-
A set of directives for static content:
Listing 5. Contents of the CSP response header for static contentdefault-src 'none'; media-src 'self'; frame-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; connect-src 'self' ws: wss:
The values ws:
and wss:
in the various headers are required by Apple Safari.
Modifying CSP header directives
The directives for embedded content include the *
wildcard for CSS, fonts, images, and media. This is the default value of the configuration property com.unblu.contentsecuritypolicy.allowedDomainsForUiResources. If you wish to make the directive more restrictive, change the value of the property accordingly. For example, if static resources for your public website are retrieved from imgs.static.company.com
and resources.company.com
, you can make the CSP directive more restrictive by one of the following means:
-
Add
*.company.com
to com.unblu.contentsecuritypolicy.allowedDomainsForUiResources. -
Add both
imgs.static.company.com
andresources.company.com
to com.unblu.contentsecuritypolicy.allowedDomainsForUiResources.
The domains listed in the configuration property are added to the following fetch directives for embedded content:
-
media-src
-
font-src
-
img-src
-
style-src
Limitations
The Unblu CSP headers are always delivered as HTTP response headers. It isn’t possible to include them in a meta
tag.