CSP default-src not used as fallback

Hi,

After the upgrade to version 12, we noticed more options in the CSP page besides the default-src only before. According to the documentation on https://support.sugarcrm.com/Documentation/Sugar_Versions/12.0/Ent/Administration_Guide/System/#Content_Security_Policy_Settings, values defined in default-src will be applied to connect-src if that field is empty:

However, when default-src field is configured with the right values and connect-src field is blank, I still get an error while doing calls to our application.

Is there something that can be done to get this to work only using the default-src field? Is it a known issue maybe?

Thanks in advance!

Best regards,

Steven.

Parents

0 Rafael Fernandes over 3 years ago

Hi Steven Van Loon,

'default-src' is used and overridden by the other options if needed be.

What are you trying to accomplish here? Embeeding an IFrame in a dashlet? Using dashlet web?

What is the exact error you are getting?

SugarCRM | Principal Developer Advocate
0 Jeff Bickart over 3 years ago in reply to Rafael Fernandes

Rafael Fernandes

We are trying to access the Google Maps API it's no longer working in Sugar 12 with the advanced options of CSP being blank.
0 Rafael Fernandes over 3 years ago in reply to Jeff Bickart

Jeff Bickart,

What you're saying is, if you add Google Maps API URL in 'default-src' prevents it to work and when you add it to 'connect-src' it works?

If that's the case, I'd open a support ticket because this is not how it's supposed to work.

SugarCRM | Principal Developer Advocate

Reply

0 Rafael Fernandes over 3 years ago in reply to Jeff Bickart

Jeff Bickart,

What you're saying is, if you add Google Maps API URL in 'default-src' prevents it to work and when you add it to 'connect-src' it works?

If that's the case, I'd open a support ticket because this is not how it's supposed to work.

SugarCRM | Principal Developer Advocate

Children

No Data