CSP default-src not used as fallback

Hi,

After the upgrade to version 12, we noticed more options in the CSP page besides the default-src only before. According to the documentation on https://support.sugarcrm.com/Documentation/Sugar_Versions/12.0/Ent/Administration_Guide/System/#Content_Security_Policy_Settings, values defined in default-src will be applied to connect-src if that field is empty:

However, when default-src field is configured with the right values and connect-src field is blank, I still get an error while doing calls to our application.

Is there something that can be done to get this to work only using the default-src field? Is it a known issue maybe?

Thanks in advance!

Best regards,

Steven.

0 Rafael Fernandes over 1 year ago

Hi Steven Van Loon,

'default-src' is used and overridden by the other options if needed be.

What are you trying to accomplish here? Embeeding an IFrame in a dashlet? Using dashlet web?

What is the exact error you are getting?

SugarCRM | Principal Developer Advocate
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jeff Bickart over 1 year ago in reply to Rafael Fernandes

Rafael Fernandes

We are trying to access the Google Maps API it's no longer working in Sugar 12 with the advanced options of CSP being blank.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Rafael Fernandes over 1 year ago in reply to Jeff Bickart

Jeff Bickart,

What you're saying is, if you add Google Maps API URL in 'default-src' prevents it to work and when you add it to 'connect-src' it works?

If that's the case, I'd open a support ticket because this is not how it's supposed to work.

SugarCRM | Principal Developer Advocate
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Steven Van Loon over 1 year ago in reply to Rafael Fernandes

Hi Rafael,

We have a custom package that allows the end user to open the url of our application on a record. When the url is only in default-src with connect-src empty, this error occurs

Content Security Policy: The page’s settings blocked the loading of a resource at [url of our app] (“connect-src”).

if the url of our app is added to connect-src also, it works without errors.

Gr, Steven.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Rafael Fernandes over 1 year ago in reply to Steven Van Loon

Hi Steven,

As per CSP's specification, the user agent should fallback to default-src.

I've seen (with google maps even) that they first give you a 302 response and redirect to a different URL, that URL must also be present in the default-src.

Something is going on along those lines, it is not related to the fallback.

If you are confident that this is not the case, please open a support ticket with all the details you have and if possible, a reproducible scenario so we can investigate.

SugarCRM | Principal Developer Advocate
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel