This header helps to prevent code injection attacks like cross-site scripting and click-jacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets etc. from the same domain that served the HTML referencing of the resources. You won't be able to include external scripts from CDNs and similar.
This subsection discusses the settings related to the content security policy for the SigningHub Admin, Web, and Mobile Web.


Configure the "Content Security Policy" parameters in SigningHub Global Settings

  1. Click the "Configurations" option from the left menu.
  2. Click the "Global Settings" option.
  3. Global Settings will appear, select the "Content Security Policy" option from the top right drop down. 
  4. Configure these settings as required and click the "Save" button from the screen bottom. For any changes to come in effect, a restart of the website is required after changes in the Content Security Policy.
    See the below table for fields description.

  


Content Security Policy

Fields

Description

Admin Content Security Policy

Specify the Content Security Policy for the SigningHub Admin. By default, the value for this field will be fetched from the database but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters.

The default value for this field will be "form-action 'none'; base-uri 'self'; frame-ancestors 'none'; default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; object-src 'none'; script-src 'self' ;"

Web Content Security Policy

Specify the Content Security Policy for the SigningHub Web. By default, the value for this field will be fetched from the database but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters.

The default value for this field will be "object-src 'none'; default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop ; connect-src 'self' https://graph.microsoft.com/v1.0/ https://dc.services.visualstudio.com/v2/track https://client.go-sign-desktop.com:8782 https://web.signinghub.com/adss/gosign/handler https://client.go-sign-desktop.com:8782/gosign-desktop ws://web.signinghub.com/; child-src 'self' https://docs.google.com/picker https://client.go-sign-desktop.com:8782/gosign-desktop https://accounts.google.com https://api.taxamo.com/ https://c.taxamo.com/ https://p.taxamo.com/ https://www.google.com/ ; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://az416426.vo.msecnd.net/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ http://apis.google.com https://docs.google.com/picker https://js.live.net https://www.google-analytics.com https://bat.bing.com https://www.googleadservices.com https://client.go-sign-desktop.com:8782/gosign-desktop https://web.signinghub.com https://api.taxamo.com/js/v1/taxamo.all.js  https://graph.microsoft.com/v1.0/ ; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob:;"

Mobile Web Content Security Policy

Specify the Content Security Policy for the SigningHub Mobile Web. By default, the value for this field will be fetched from the database but it can be updated as per the requirements of the user. The maximum character limit for this field is, 4000 characters.

The default value for this field will be "object-src 'none'; default-src 'self' ;connect-src 'self' [%SigningHub_SigningHub.MobileWeb_URL%] [%SigningHub_API_URL%] ; child-src 'self' https://docs.google.com/picker https://accounts.google.com https://content.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://apis.google.com https://docs.google.com/picker https://web.signinghub.com https://bat.bing.com https://www.googleadservices.com; style-src 'self' 'unsafe-inline';font-src * data:; img-src 'self' * data: blob:;:



  1. For a fresh installation of SigningHub:
    • The system will add the default Content Security Policy values with respect to signinghub.com, for all the websites, from the database. These default values can be updated later as well.
    • The Content Security Policy will be added to the default scripts.
  1. For an upgrade of SigningHub:
    • Upon upgrade, the system will add the default Content Security Policy values with respect to signinghub.com, for all the websites, from the existing web.config file and place in the database.
    • From v8.5 onwards, the system will get the Content Security Policy values from the database, as every client will have updated the Content Security Policy, as per their needs.
  1. Add the following URLs in connect-src for Belgian eID Card, in addition to the above CSP headers:

https://client.localmiddleware.be:20202/version

https://client.localmiddleware.be:20202/status

https://client.localmiddleware.be:20202/events 

https://client.localmiddleware.be:20202/session 

https://client.localmiddleware.be:20202/eID/signingSession 

https://client.localmiddleware.be:20202/eID/id 

https://client.localmiddleware.be:20202/eID/nonRepudiationCertificate 

https://client.localmiddleware.be:20202/eID/citizenCertificate

https://client.localmiddleware.be:20202/eID/rootCertificate

https://client.localmiddleware.be:20202/eID/signRsa

  1. Add the following URLs in child-src and the last one in script-src for Stripe, in addition to the above CSP headers:

https://api.taxamo.com/

https://c.taxamo.com/

https://p.taxamo.com/

https://api.taxamo.com/js/v1/taxamo.all.js

  1. Add the following URLs in connect-src for T1C Signing, in addition to the above CSP headers:

https://accapim.t1t.be:443

https://localhost:10443/v2/

  1. Add the following URL in the default-src of Web and Admin for Power BI reporting, in addition to the above CSP headers:

https://app.powerbi.com/



See Also