Content Security Policy: Options
From Joomla! Documentation
Description[edit]
The Content Security Policy Options screen is used to set up the default CSP.
How to Access[edit]
- Select System → Global Configuration from the Administrator menu. Then...
- Select Content Security Policy from the Component list.
Screenshot[edit]
Form Fields[edit]
Content-Security-Policy (CSP)[edit]
These options control the Content-Security-Policy.
- Content Security Policy (CSP). (Enabled/Disabled) Whether to Enable or Disable the Content-Security-Policy.
- Mode. (Custome/Detect/Automatic) Configures the mode the plugin generates the Content-Security-Policy on. The Custom mode allows manual configuration. The Detect mode enables the report collection and the automatic mode uses the collected reports to generate the Content-Security-Policy.
- Report-Only. (Enabled/Disabled) Use the header 'Content-Security-Policy-Report-Only' instead of 'Content-Security-Policy'.
- Nonce. (Enabled/Disabled) Enable the whitelist for specific inline scripts using a cryptographic nonce (number used once) for all scripts and styles using the Joomla API. Specifying a nonce makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without nonce support.
- Script hashes. (Enabled/Disabled) Enable the optional hash based whitelist inline scripts using a cryptographic hash for all scripts using the Joomla API. Specifying hashes makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without hash support.
- Style hashes. (Enabled/Disabled) Enable the optional hash based whitelist inline styles using a cryptographic hash for all styles using the Joomla API. Specifying hashes makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without hash support.
- frame-ancestors 'self'. (Enabled/Disabled)Enable the CSP clickjacking protection frame-ancestors and only allow the origin 'self'. Please use the form below to allow origins other than 'self'.
- Add Directive. (Subform) You can use this subform to add as many entries as you want for the Content-Security-Policy by setting the Policy Directive, Value and Client.
Permissions[edit]
This section lets you set up the default ACL permissions for the Content-Security-Policy Component To change the permissions for this extension, do the following.
- Select the Group by clicking its title located on the left.
- Find the desired Action. Possible Actions are:
- Configure ACL & Optons. Users can edit the options and permissions of this extension.
- Configure Optons Only. Users can edit the options exept the permissions of this extension.
- Access Administration Interface. Users can access user administration interface of this extension.
- Create: Users can create content of this extension.
- Delete: Users can delete content of this extension.
- Edit: Users can edit content of this extension.
- Edit State: User can change the published state and related information for content of this extension.
- Edit Own: Users can edit own created content of this extension.
- Select the desired permission for the action you wish to change. Possible settings are:
- Inherited: Inherited for users in this Group from the Global Configuration permissions of this extension.
- Allowed: Allowed for users in this Group. Note that, if this action is Denied at one of the higher levels, the Allowed permission here will not take effect. A Denied setting cannot be overridden.
- Denied: Denied for users in this Group.
- Click Save in Toolbar at top. When the screen refreshes, the Calculated Setting column will show the effective permission for this Group and Action.
Toolbar[edit]
At the top of the page you will see the toolbar shown in the Screenshot above. The functions are:
- Save. Saves the item and stays in the current screen.
- Save & Close. Saves the item and closes the current screen.
- Close. Closes the current screen and returns to the previous screen without saving any modifications you may have made. This toolbar icon is not shown if you are creating a new item.
- Help. Opens this help screen.
Quick Tips[edit]
- By default the Content-Security-Policy is disabled and has to be enabled and configured.
- Please note that this Component requires the Plugin System - HTTP Headers (plg_system_httpheaders) to be enabeld.
Related Information[edit]
- To review the collected reports please see: Components CSP Reports
- More details on HTTP Header Tools: Tutorial: Http Header Management in Joomla 4