Content security policy
The Content Security Policy (CSP) is a set of directives informing the user's browser of locations from which an application can load resources. These locations are provided in the form of URL schemes, including an asterisk (*) to represent all URLs. Each directive governs a specific resource type that affects what is displayed in a browser. Collectively, the directives are sent to the client in the Content-Security-Policy HTTP header. Each browser type and version obey as much of the policy as they can. If a browser does not understand a directive, it is ignored; otherwise, it is explicitly followed.
Configuring CSP for Legacy Webchat
Configure the CSP directives so that browsers load resources only from authorized websites.
- In the Dev Studio header, click the application, and then click Definition.
- On your application page, click the Security tab.
- In the Content security section, press the down arrow, and then select the policy name for which you want to configure the derivatives.
- To configure the CSP directives for the selected policy, click the Open icon beside the policy name.
- On the Policy Definition tab, in the Content Security Policy section, expand the section of the directive for which you want to list allowed websites.
- Under Allowed websites, click the Add a row icon.
- In the Allowed websites field, enter the URL of the
website for which to grant access.For Legacy Webchat, enter the chat URL in the Allowed websites field for Connect-Source, Script-Source, and Image-Source directives.
- In the Notes field, enter a short description about why the site should have access.
- Click Save to save the CSP directives.
- On your application page specify whether to enforce the policy, or to report
usage of the policy without enforcing the policy, by selecting either of the
following modes:
- Reject and report – Enforces the policy.
- Report only – Reports, but does not enforce the policy.
- Click Save to save all the changes on the application page.
Previous topic Third-party routing Next topic Cross-Site Request Forgery (CSRF)