How To
Summary
The default value of the Content Security Policy (CSP) header used by the default web application firewall (WAF) policy in IBM Content Navigator (ICN) doesn't allow loading external resources unless HTTPS is used. It also doesn't allow ICN to be embedded in external domains even when HTTPS is used. You need to use a custom policy file and configure the value of the CSP header if you need to remove these restrictions for external domains you trust.
Objective
Use a custom WAF policy file and configure the value of the CSP header to allow loading external resources using protocols other than HTTPS or embedding ICN in external domains.
Steps
1. Stop the ICN server.
2. Update the web.xml file to use a a custom WAF policy file.
- For ICN 3.0.8 and later, use the Configuration and Deployment tool to set the WAF policy option to Custom and specify the path to a custom policy file.
- For versions earlier than ICN 3.0.8, edit the web.xml file to set a path to a custom policy file. e.g.,
<filter>
<filter-name>ESAPIWebApplicationFirewallFilter</filter-name>
<filter-class>com.ibm.ecm.filters.ESAPIWafFilter</filter-class>
<init-param>
<param-name>configuration</param-name>
<param-value>/opt/IBM/ECMClient/config/ESAPIWafPolicy.xml</param-value>
</init-param>
<init-param>
<param-name>filterUploads</param-name>
<param-value>false</param-value>
</init-param>
</filter>
2. Edit the custom policy file to configure the value of the CSP header. e.g.,
Allow embedding external resources using HTTP by appending "; frame-src 'self' blob: https: http://external-domain:*" to the existing value. This would be needed, for example, when you edit documents with Office Online using HTTP in non-production environments.
<add-header name="Content-Security-Policy" value="default-src 'self' blob: https:; font-src 'self' data: blob: https:; img-src 'self' data: blob: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; worker-src 'self' blob: https:; style-src 'self' 'unsafe-inline' https:; frame-ancestors 'self'; frame-src 'self' blob: https: http://external-domain:*" path="/.*"/>
Allow loading external resources using protocols, HTTP and WSS in this case, other than HTTPS by appending "; connect-src 'self' blob: https: http://external-domain:* wss://external-domain:*" to the existing value.
<add-header name="Content-Security-Policy" value="default-src 'self' blob: https:; font-src 'self' data: blob: https:; img-src 'self' data: blob: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; worker-src 'self' blob: https:; style-src 'self' 'unsafe-inline' https:; frame-ancestors 'self'; connect-src 'self' blob: https: http://external-domain:* wss://external-domain:*" path="/.*"/>
Allow an external domain to embed ICN by appending "https://external-domain:*" to the existing value of the "frame-ancestors" directive. This would be needed, for example, when you use ICN Web Parts in Microsoft SharePoint pages. Note: You'll also need to remove the X-Frame-Options header.
<add-header name="Content-Security-Policy" value="default-src 'self' blob: https:; font-src 'self' data: blob: https:; img-src 'self' data: blob: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; worker-src 'self' blob: https:; style-src 'self' 'unsafe-inline' https:; frame-ancestors 'self' https://external-domain:*" path="/.*"/>
3. Repackage and redeploy ICN and start the ICN server.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"ARM Category":[{"code":"a8m50000000ChuAAAS","label":"Content Navigator"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}]
Was this topic helpful?
Document Information
Modified date:
06 May 2021
UID
ibm16229174