What is a Content Security Policy?

A Content Security Policy (“CSP”) is a computer security standard introduced to prevent cross-site scripting, clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

For example, a CSP may block the ability to embed iframes into a website since embedded iframes could provide a potential attack surface for malicious content to be embedded inside your website without your core security systems detecting it.

When it comes to the OvationCXM Knowledge Library Sites, we aim to provide strong security with our core CSP, while allowing organizations to completely customize all aspects of their CSP if desired. 

OvationCXM CSP Functionality

Each Knowledge Library comes out-of-the-box with a default content security policy. This is made up of 1) required CSP directives as well as 2) additional default CSP directives (that can optionally be overridden).

Mandatory CSP Directives

All Knowledge Libraries get a set of mandatory CSP directives that cannot be removed. These are required to have in each Knowledge Library to ensure that the core functionality works as expected.

The mandatory CSP directives include:

• default-src: 'self', api.goboomtown.com, www.goboomtown.com, webchat.goboomtown.com, https://fonts.gstatic.com
• script-src: 'self', webchat.goboomtown.com, cdn.split.io
• style-src: 'self', webchat.goboomtown.com, https://fonts.googleapis.com
• img-src: 'self', api.goboomtown.com, www.goboomtown.com, webchat.goboomtown.com
• font-src: 'self', webchat.goboomtown.com, https://fonts.googleapis.com, https://fonts.gstatic.com
• connect-src: 'self', api.goboomtown.com, webchat.goboomtown.com, cdn.split.io, sdk.split.io, streaming.split.io, auth.split.io, events.split.io
• frame-src: messenger.goboomtown.com

Default CSP Directives

All Knowledge Libraries also come with a set of default directives in addition to the mandatory directives. While these directives do not show up on the Knowledge Settings screen, they are included with each Library. These additional directives add flexibility for common inline styling functionality as well as enable the use of the included set of emoticons.

The default CSP directives include:

• script-src: 'unsafe-inline'
• frame-ancestors: *
• default-src: https://cdnjs.cloudflare.com
• style-src: 'unsafe-inline'
• image-src: https://cdnjs.cloudflare.com

Custom CSP Directives

For organizations that want to completely customize their CSP directives, we provide the ability to add your own CSP directives to the Knowledge Settings screen for each Library. When you add any custom CSP directives, the mandatory directives noted above remain, but the default directives get overwritten with only the directives that you include. This allows you to remove the default directives if desired.

If you want to continue to use the default directives and also add additional custom CSP directives, you can copy/paste the directives above and paste them into the CSP Header field (instructions below).

How to Customize the CSP Headers In Your Knowledge Library

In order to edit your CSP directives, you will need to have the Edit Knowledge Base Settings Permission on your User Role.

To edit your CSP directives in your Knowledge Libraries:

1. Navigate to Settings by clicking the Avatar in the to right and selecting Settings
2. Click on Knowledge in the left navigation menu
3. Select Edit on the Library you would like to update
4. Scroll down to the Content Security-Policy Header field
5. Add in your CSP directives here.

Remember that as soon as you add anything to the Content Security-Policy Header field, you will lose the default CSP directives noted above. If you would like to keep those, be sure to copy and paste them into the field.

Common Example Use Cases for Custom CSP Directives

Here are a few common use cases that you may want to enable in your knowledge library.

Iframe Documents

If you have a collection of PDF’s that are hosted on your website, it may be too time consuming to rewrite the articles and unnecessary to download them and reupload them to the CXMEngine platform library - a simple solution is to embed them.

Add to your CSP:

frame-ancestor https://docs.google.com/

When embedding an iframe in your Article, the <iframe> will look like the following where is a link to some PDF.

Note The use of the Google Docs iframe tool requires the docs.google.com domain be added to the CSP under the frame-ancestor directive.

<iframe src="https://docs.google.com/gview?url=&embedded=true" style="width:480px; height:720px;" frameborder="0"></iframe>

Iframe Videos

If you want to embed external videos that may be useful for support and troubleshooting.

Add to your CSP:

frame-ancestor https://youtube.com/

In your Article, the <iframe> element may look like this when the link is from a separate source such as Youtube. This requires the youtube.com domain be included in the CSP directive for frame-ancestor.

<iframe src="https://www.youtube.com/watch?v=bMav94Hyo4k" allowfullscreen></iframe>

iFrame Spreadsheets 

If you need to include a large datasheet that may be viewed but not edited by a reader and the list is too large for a table built in the article editor and must be kept in a spreadsheet (in this example, the platform is Google Sheets)

Add to your CSP:

frame-ancestor https://docs.google.com/spreadsheets/

And, for example, if you used multiple of the above examples, your CSP directive may be combined to look like this:

frame-ancestor https://*.google.com/ https://youtube.com

Emoticons

We include the necessary CSP directives to get the included emoticons to work in the default directives. But if you customize your CSP and want to continue to use the included emoticons,you will need to add the following to your CSP directive: 

default-src: https://cdnjs.cloudflare.com, image-src: https://cdnjs.cloudflare.com

Custom Functionality and Styling

If you are using a custom CSP directive and want to extend features and styling (e.g. adding table sorting, custom fonts, or Bootstrap styles), you may need to add the following to your CSP directive: 

script-src: 'unsafe-inline', style-src: 'unsafe-inline'