Content Security Policy
Hi,
We have implemented custom CSP rule for our application. In CSP rule there is no option to implement prefetch-src as 'self' . Where should this be implemented ?
I have tried to implement it in response header and it gives me a warning as below:
The Content-Security-Policy directive 'prefetch-src' is implemented behind a flag which is currently disabled.
Also CSP headers are not a part of response on the login screen, and if CSP is added in response header will it be overridden by the CSP rule defined at application level once logged in. How can this be configured?
Regards,
Jill Haria
Pegasystems Inc.
US
Hi Jill,
Below error can be seen when the browser doesn't recognize or not supported by default. Explore chrome://flags on your browser to find prefetch-src directive specific dependent flags and Enable it to check if error is observed. Resolving certain flags is up to the client's browser.
"The Content-Security-Policy directive 'prefetch-src' is implemented behind a flag which is currently disabled"
For the second part of your question,
Hi Jill,
Below error can be seen when the browser doesn't recognize or not supported by default. Explore chrome://flags on your browser to find prefetch-src directive specific dependent flags and Enable it to check if error is observed. Resolving certain flags is up to the client's browser.
"The Content-Security-Policy directive 'prefetch-src' is implemented behind a flag which is currently disabled"
For the second part of your question,
In order to make sure these headers are set,
CSP header can potentially get skipped if there is direct streaming enabled.
In order to get CSP header on all requests, you can disable direct streaming (via setting below). The performance may degrade slightly because of this.
please add the following setting:
Use Pega-Engine as the owning ruleset
purpose = prconfig/initialization/httpstreamduringassembly/default
value = false
Let me know if it helps!
Cognizant
IN
Thank you Harish.
But enabling specific dependent flags din't work. I am still getting the below warning:
"The Content-Security-Policy directive 'prefetch-src' is implemented behind a flag which is currently disabled"
Also how should the manifest-src and prefetch-src be implemented in CSP rule or any other rule? As implementing it is DSS ResponseHeader is giving me an error.
Also the below flag is already set as false:
Use Pega-Engine as the owning ruleset
purpose = prconfig/initialization/httpstreamduringassembly/default
value = false
Regards,
Jill Haria
Pegasystems Inc.
US
HI Jill,
I am unsure why clientside browsers complain that it couldn't apply the prefetch-src directive. If you are using chrome, there are few more people complained about prefetch-src not being applied and it may be a bug.
https://stackoverflow.com/questions/55626147/preload-and-csp-in-chrome
In general, if the prefetch-src or manifect-src is absent, the user agent(browser) looks for default-src directive.
I think we don't have to look for other places where you can set these CSP headers, they are already set properly through DSS and due to the fact that browser coudln't resolve them, we see an error.
You can also try setting the requires CSP directives as HTTP response headers, at the load balancer or WebServer level (if you have one). That might just help setting it, but resolving them is up to the browser.
Hope it helps!