CSP default-src not used as fallback

Hi,

After the upgrade to version 12, we noticed more options in the CSP page besides the default-src only before. According to the documentation on https://support.sugarcrm.com/Documentation/Sugar_Versions/12.0/Ent/Administration_Guide/System/#Content_Security_Policy_Settings, values defined in default-src will be applied to connect-src if that field is empty:

However, when default-src field is configured with the right values and connect-src field is blank, I still get an error while doing calls to our application.

Is there something that can be done to get this to work only using the default-src field? Is it a known issue maybe?

Thanks in advance!

Best regards,

Steven.

Parents

0 Rafael Fernandes over 3 years ago

Hi Steven Van Loon,

'default-src' is used and overridden by the other options if needed be.

What are you trying to accomplish here? Embeeding an IFrame in a dashlet? Using dashlet web?

What is the exact error you are getting?

SugarCRM | Principal Developer Advocate

Reply

0 Rafael Fernandes over 3 years ago

Hi Steven Van Loon,

'default-src' is used and overridden by the other options if needed be.

What are you trying to accomplish here? Embeeding an IFrame in a dashlet? Using dashlet web?

What is the exact error you are getting?

SugarCRM | Principal Developer Advocate

Children

0 Jeff Bickart over 3 years ago in reply to Rafael Fernandes

Rafael Fernandes

We are trying to access the Google Maps API it's no longer working in Sugar 12 with the advanced options of CSP being blank.
0 Steven Van Loon over 3 years ago in reply to Rafael Fernandes

Hi Rafael,

We have a custom package that allows the end user to open the url of our application on a record. When the url is only in default-src with connect-src empty, this error occurs

Content Security Policy: The page’s settings blocked the loading of a resource at [url of our app] (“connect-src”).

if the url of our app is added to connect-src also, it works without errors.

Gr, Steven.