Skip to main content

Question

 Maarten Veger (MaartenBPM)
BPM Company
Practice lead & Pega CLSA
BPM Company
NL
MaartenBPM Member since 2013 14 posts
BPM Company
Posted: Mar 4, 2024
Last activity: Apr 3, 2024
Posted: 4 Mar 2024 9:31 EST
Last activity: 3 Apr 2024 16:03 EDT
Solved

Is it needed that Content Security Policy rule pxDefaultSecured allows the google analytic image?

We're using a Content Security Policy-rule based on pxDefaultSecured which is the default most secured CSP. By default this allows:

- Loading fonts from https://fonts.gstatic.com (google static) , that seems ok to me;

- Image-Source from http://www.google-analytics.comhttps://www.google-analytics.com, https://ssl.google-analytics.com ;

- Script-source from http://www.google-analytics.com and https://ssl.google-analytics.com .

I would not expect that by default the secure CSP allows the google analytics script and image.

Why is this allowed by default?

To see attachments, please log in.
Pega Platform 8.7.6
Security
Partners and Integrations
System Administration
Other Industry
Lead System Architect
Team Lead

  • Reply

Accepted Solution

Posted: 8 months ago
Updated: 7 months ago
Posted: 14 Mar 2024 9:24 EDT
Updated: 3 Apr 2024 16:03 EDT
Manojkumar Jayachandran (Manojkumar_ J )
PEGA
Associate Technical Support Engineer
Pegasystems Inc.
IN

@MaartenBPM The google analytics component is being used in many of the areas internally in the code like ,In Snippet Rule creation and also internal help documents you see in the rules and to make those scripts and image sources that are being used in the default code of Pega whitelisted these are added to the OOTB CSP  Thank you !

To see attachments, please log in.
Posted: 8 months ago
Posted: 4 Mar 2024 12:53 EST
Saranya Das (Saranya1996)
VOIS
Deputy Manager
VOIS
IN

Hi @MaartenBPM  -  CSP is designed to prevent certain types of attacks like Cross-Site Scripting (XSS) and data injection attacks. It's important to restrict sources to only trusted domains, but then again since Google Analytics is one of the most widely used and trusted web analytics service I believe it was added as default. There could be other possible reasons as well but this is just my assumption.

To see attachments, please log in.

Accepted Solution

Posted: 8 months ago
Updated: 7 months ago
Posted: 14 Mar 2024 9:24 EDT
Updated: 3 Apr 2024 16:03 EDT
Manojkumar Jayachandran (Manojkumar_ J )
PEGA
Associate Technical Support Engineer
Pegasystems Inc.
IN

@MaartenBPM The google analytics component is being used in many of the areas internally in the code like ,In Snippet Rule creation and also internal help documents you see in the rules and to make those scripts and image sources that are being used in the default code of Pega whitelisted these are added to the OOTB CSP  Thank you !

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice