Thread Details
  • State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 369 subscribers
  • Views 1740 views
  • Users 0 members are here
Forum Actions

CSP default-src not used as fallback

Steven Van Loon

Hi,

After the upgrade to version 12, we noticed more options in the CSP page besides the default-src only before. According to the documentation on https://support.sugarcrm.com/Documentation/Sugar_Versions/12.0/Ent/Administration_Guide/System/#Content_Security_Policy_Settings, values defined in default-src will be applied to connect-src if that field is empty:

However, when default-src field is configured with the right values and connect-src field is blank, I still get an error while doing calls to our application.

Is there something that can be done to get this to work only using the default-src field? Is it a known issue maybe?

Thanks in advance!

Best regards,

Steven.

  • 0 Sugar Employee Badge

    Hi ,

    'default-src' is used and overridden by the other options if needed be.

    What are you trying to accomplish here? Embeeding an IFrame in a dashlet? Using dashlet web?

    What is the exact error you are getting?

    SugarCRM | Principal Developer Advocate

  • 0 in reply to Rafael Fernandes

    We are trying to access the Google Maps API it's no longer working in Sugar 12 with the advanced options of CSP being blank.

  • 0 Sugar Employee Badge in reply to Jeff Bickart

    ,

    What you're saying is, if you add Google Maps API URL in 'default-src' prevents it to work and when you add it to 'connect-src' it works?

    If that's the case, I'd open a support ticket because this is not how it's supposed to work.

    SugarCRM | Principal Developer Advocate

  • 0 in reply to Rafael Fernandes

    Hi Rafael,

    We have a custom package that allows the end user to open the url of our application on a record. When the url is only in default-src with connect-src empty, this error occurs

    Content Security Policy: The page’s settings blocked the loading of a resource at [url of our app] (“connect-src”).

    if the url of our app is added to connect-src also, it works without errors.

    Gr, Steven.

  • 0 Sugar Employee Badge in reply to Steven Van Loon

    Hi Steven,

    As per CSP's specification, the user agent should fallback to default-src.

    I've seen (with google maps even) that they first give you a 302 response and redirect to a different URL, that URL must also be present in the default-src.

    Something is going on along those lines, it is not related to the fallback.

    If you are confident that this is not the case, please open a support ticket with all the details you have and if possible, a reproducible scenario so we can investigate.

    SugarCRM | Principal Developer Advocate