Default Content-Security-Policy (CSP) from Enonic in Edit mode can not be overwritten

Enonic version: 7.9.2

Hi!

We add our own CSP by using a responseProcessor, and it works as expected everywhere except in edit mode. In edit mode I can see in our log that the responseProcessor is doing the same as in every other mode (and adds the CSP as expected), but we are still stuck with the default CSP from Enonic. Also, for edit mode, adding site.preview.contentSecurityPolicy = to XP_HOME/config/com.enonic.xp.admin.cfg does not make any difference, we still get the default CSP from Enonic.

I found your issue Content-Security-Policy for site preview · Issue #9293 · enonic/xp · GitHub where you say we should be able to add our own CSP to edit mode as well, but we can’t seem to make it work for edit mode. Can you help? :slight_smile:

Also, in your documentation of the CSP (Configuration files - Enonic Developer Portal and Upgrading - Enonic Developer Portal) you only mention that you add it to inline and preview mode, but you also add the default to edit mode. Can this be updated? :slight_smile:

The reason it works differently in edit mode is that Page Editor is using an iframe to display the content, so there we have to use a meta tag to inject the CSP, rather that using a header like in preview.

If you are injecting your own CSP using responseProcessor rather than configuring CSP via config file, I suggest you turn off CSP completely (this will turn it off in the editor as well) and keep on using responseProcessor to inject the CSP header.

2 Likes

Also, in your documentation of the CSP (Configuration files - Enonic Developer Portal and Upgrading - Enonic Developer Portal) you only mention that you add it to inline and preview mode, but you also add the default to edit mode. Can this be updated?

There are two different docs on CSP - one, that you mentioned, for XP (that describes config for inline and preview modes) and another for Content Studio (which is for the Content Studio itself and page editor).

1 Like

Aha!
Thank you for the explanations, and the link to the Content Studio documentation of the CSP used there. :slightly_smiling_face: