Help4.x

Content Security Policy: Options

From Joomla! Documentation

Revision as of 05:52, 22 September 2020 by MartijnM (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Description[edit]

The Content Security Policy Options screen is used to set up the default CSP.

How to Access[edit]

  • Select System  Global Configuration from the Administrator menu. Then...
    • Select Content Security Policy from the Component list.

Screenshot[edit]

Content-security-policy-options-en.png

Form Fields[edit]

Content-Security-Policy (CSP)[edit]

These options control the Content-Security-Policy.

  • Content Security Policy (CSP). (Enabled/Disabled) Whether to Enable or Disable the Content-Security-Policy.
  • Mode. (Custome/Detect/Automatic) Configures the mode the plugin generates the Content-Security-Policy on. The Custom mode allows manual configuration. The Detect mode enables the report collection and the automatic mode uses the collected reports to generate the Content-Security-Policy.
  • Report-Only. (Enabled/Disabled) Use the header 'Content-Security-Policy-Report-Only' instead of 'Content-Security-Policy'.
  • Nonce. (Enabled/Disabled) Enable the whitelist for specific inline scripts using a cryptographic nonce (number used once) for all scripts and styles using the Joomla API. Specifying a nonce makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without nonce support.
  • Script hashes. (Enabled/Disabled) Enable the optional hash based whitelist inline scripts using a cryptographic hash for all scripts using the Joomla API. Specifying hashes makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without hash support.
  • Style hashes. (Enabled/Disabled) Enable the optional hash based whitelist inline styles using a cryptographic hash for all styles using the Joomla API. Specifying hashes makes a modern browser ignore 'unsafe-inline' which should still be set for older browsers without hash support.
  • frame-ancestors 'self'. (Enabled/Disabled)Enable the CSP clickjacking protection frame-ancestors and only allow the origin 'self'. Please use the form below to allow origins other than 'self'.
  • Add Directive. (Subform) You can use this subform to add as many entries as you want for the Content-Security-Policy by setting the Policy Directive, Value and Client.

Permissions[edit]

This section lets you set up the default ACL permissions for the Content-Security-Policy Component To change the permissions for this extension, do the following.

  • Select the Group by clicking its title located on the left.
  • Find the desired Action. Possible Actions are:
    • Configure ACL & Optons. Users can edit the options and permissions of this extension.
    • Configure Optons Only. Users can edit the options exept the permissions of this extension.
    • Access Administration Interface. Users can access user administration interface of this extension.
    • Create: Users can create content of this extension.
    • Delete: Users can delete content of this extension.
    • Edit: Users can edit content of this extension.
    • Edit State: User can change the published state and related information for content of this extension.
    • Edit Own: Users can edit own created content of this extension.
  • Select the desired permission for the action you wish to change. Possible settings are:
    • Inherited: Inherited for users in this Group from the Global Configuration permissions of this extension.
    • Allowed: Allowed for users in this Group. Note that, if this action is Denied at one of the higher levels, the Allowed permission here will not take effect. A Denied setting cannot be overridden.
    • Denied: Denied for users in this Group.
  • Click Save in Toolbar at top. When the screen refreshes, the Calculated Setting column will show the effective permission for this Group and Action.

Toolbar[edit]

At the top of the page you will see the toolbar shown in the Screenshot above. The functions are:

  • Save. Saves the item and stays in the current screen.
  • Save & Close. Saves the item and closes the current screen.
  • Close. Closes the current screen and returns to the previous screen without saving any modifications you may have made. This toolbar icon is not shown if you are creating a new item.
  • Help. Opens this help screen.

Quick Tips[edit]

  • By default the Content-Security-Policy is disabled and has to be enabled and configured.
  • Please note that this Component requires the Plugin System - HTTP Headers (plg_system_httpheaders) to be enabeld.

Related Information[edit]