Content-Security-Policy (CSP) registry settings

Use registry settings to modify the Content Security Policy (CSP) that exists in OpenPages®.

To modify where the application can load resources from, use the registry setting /Platform/Security/Headers/Content-Security-Policy. The value of this setting is merged with the Content Security Policy that is already set internally for the application.

To apply a separate CSP for custom helpers and reports without affecting the overall OpenPages CSP, use the registry settings /Platform/Security/Headers/Unsafe Content-Security-Policy URLs and /Platform/Security/Headers/Unsafe Content-Security-Policy.

The Content-Security-Policy and Unsafe Content-Security-Policy settings use the Content Security Policy syntax. For more information, see Content Security Policy.

Note: If you change the value of the Content-Security-Policy registry settings, refresh your browser page after you apply the change.

What is CSP?

With CSP, you can specify which resources, such as JavaScript and CSS, can be loaded, and the URLs that they can be loaded from.

CSP reduces the likelihood of Cross Site Scripting (XSS) attacks and other forms of attack such as Click Jacking.

For more information about CSP, see Content Security Policy (CSP) Quick Reference Guide.

How CSP changed in version 9.0.0.3

In OpenPages version 9.0.0.3, the default base CSP changed to be more secure by removing the 'unsafe-inline' and 'unsafe-eval' CSP keywords. The default base CSP doesn't include integrations such as Cognos, WalkMe, or IBM Watson® Assistant.

The default base CSP in 9.0.0.3 is default-src 'self';script-src 'self';style-src 'self';img-src 'self' data:;font-src 'self' data:;frame-ancestors 'self'; form-action 'self';.

As a result of the changes to the CSP, the new default value of the registry setting /Platform/Security/Headers/Content-Security-Policy changed to more accurately reflect the CSP and to make it easier for you to modify the CSP. In version 9.0.0.2, this registry setting only set the default-src 'self'. The script-src and style-src directives are set separately for more granularity. For example, you can specify 'unsafe-inline' just for styles and not for scripts. However, sometimes you might need to change more than one directive. For example, if you have to edit your CSP to add the host for your Cognos server, you need to add it for script-src, style-src, img-src, and form-action.

The script-src directive manages the allowed features of scripts. For example, 'unsafe-eval' allows the use of string evaluation functions and 'unsafe-inline' allows inline scripts and event handlers.

The style-src directive manages the use of inline styles.

The source value 'self' allows loading resources from the same origin (same scheme, host, and port).

Together, the directives that are specified in the value of Content-Security-Policy help to block threat agents that can try to compromise your system.

If you customized Content-Security-Policy in versions preceding 9.0.0.3 and you are upgrading to 9.0.0.3 or later, update /Platform/Security/Headers/Content-Security-Policy by copying the source values that were specified for default-src to script-src, style-src, img-src, and font-src.

How the change to CSP affects how OpenPages works

The enhancements to security change the way OpenPages works:
  • You don't have certain features in the rich text editor that use inline styles, such as font color and family, and image and table resizing and alignment.
  • The JSON tab is not displayed in View Designer.
  • Some custom helpers and JSP reports might not work correctly.
  • The Fastmap Import report and Fastmap Import Status report might have rendering issues and might not work correctly.
  • Legacy helpers and reports, such as the KRI and KPI Value Creation utilities, might have rendering issues and might not work correctly.

You can override the CSP setting to enable the features that are disabled by the CSP in 9.0.0.3 and later versions. However, overriding the setting increases your system's exposure to the risk of attack.

Restoring rich text editor features and the JSON tab in View Designer

To enable the disabled features in the rich text editor and to display the JSON tab in View Designer, add the 'unsafe-inline' CSP keyword to the style-src 'self' directive. Using the 'unsafe-inline' keyword in this way limits its scope to inline styles only.

For example, the following value for /Platform/Security/Headers/Content-Security-Policy overrides the CSP setting for the style-src directive:

default-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';

For more information about the 'unsafe-inline' CSP keyword, see The CSP unsafe-inline Source List Keyword.

Enabling custom helpers and JSP reports

The best way to enable custom pages, such as helpers and JSP reports, without overriding the secure CSP setting, is to modify the pages to avoid the use of unsafe features. However, these modifications can be time-consuming.

As a temporary solution, you can apply /Platform/Security/Headers/Unsafe Content-Security-Policy to allow custom pages to function without affecting the overall OpenPages CSP. Use /Platform/Security/Headers/Unsafe Content-Security-Policy for URLs that require unsafe settings, such as 'unsafe-inline' and 'unsafe-eval'.

To apply /Platform/Security/Headers/Unsafe Content-Security-Policy, enter the relative URLs that need the unsafe CSP in the registry setting /Platform/Security/Headers/Unsafe Content-Security-Policy URLs. Enter each URL on a separate line.

To specify a URL for a report, enter /publishweb followed by the path you traverse to find the file in System Files. An example of a URL for a report is /publishweb/Reports/SOX/PCM Reports/Policy_PublishingHelper.jsp.

To specify a URL for a helper, use the relative path that you see in the popup URL. Don't include query parameters or any context root such as '/openpages'. An example of a URL for a helper is /Wizard/MyHelper.jsp.

Ensure that you modify the custom pages as soon as possible so that they don't require unsafe settings anymore.

For more information about enabling custom helpers, see Many custom helpers stop working correctly after upgrading to 9.0.0.3.

For more information about the 'unsafe-eval' CSP keyword, see Content Security Policy (CSP) Quick Reference Guide.

Replacing FastMap Import and FastMap Import Status reports

Instead of using FastMap Import and FastMap Import Status reports, you can use the FastMap user interface. For more information, see Accessing FastMap to import data and view status.

As an alternative to using the FastMap user interface, you can add the following URLs to the registry setting /Platform/Security/Headers/Unsafe Content-Security-Policy URLs:

/publishweb/Reports/SOX/FastMap/FastMap_Import.jsp
/publishweb/Reports/SOX/FastMapImportProcessStatus.jsp
/report/fastMap.jsp
/report.tree.post.do

Replacing legacy reports and helpers

Legacy reports and helpers, such as the KRI and KPI Value Creation utilities, have been replaced by newer functionality.

For more information, see Legacy reports and helpers topic in the IBM OpenPages Solutions Guide.