戻る
-
タイトル
Content Security Policy Tips -
説明
CSP (Content Security Policy) allows the user to only allow specific domains to display content on the KACE SMA. This can help with mitigating attacks such as Cross-Site Scripting and data injection.
-
対策
Warning: Misconfiguration of CSP can lead to certain appliance functionality not working correctly such as images and videos not being displayed. KACE Support should be contacted if misconfiguration leads to access issues.
For detailed information regarding CSP, please refer to Mozilla’s MDN Web Docs on Content Security Policy (CSP).
A selective list of directives have been added to the KACE SMA.- Default-src
- Style-src
- Script-src
- Frame-src
- Media-src
- Worker-src
- Font-src
- Img-src
NOTE: Any domain/URL added to a directive that is not the default-src will block that specific content from any other domains that are also not added to that specific directive
Domain/URL can contain a variety of sources. Please see CSP source values for more information.
When enabling CSP, a list of KACE Trusted Domains are automatically added. These items are critical to the functionality of the KACE SMA appliance and are not configurable.
Directive KACE Trusted Domains Default-src *.quest.com127.0.0.1*.brightcove.com*.brightcove.net*.boltdns.netStyle-src *.googleapis.com Script-src *.zencdn.net*.brightcove.com*.brightcove.netImg-src *.brightcove.com*.brightcove.net