Content Security Policies can be enabled in HappyFox Helpdesk accounts. This article gives you the mechanism in which it can be done in your accounts.
What is Content Security Policy?
What is Content Security Policy?
Having Content Security Policy enabled ensures a safe and secure environment for your end users to use the HappyFox solution.
- Create a secure environment for your end-users. It prevents your browser from loading unsafe code/script/style.
- Mitigate against malicious web attacks. These include Cross Site Scripting (XSS), card skimming, session hijacking, code injection, clickjacking, and more.
By enabling CSP, HappyFox administrators allow external content (like videos/scripts) from only specific domains to be loaded in their accounts. This ensures an additional layer of security providing a safe environment for your agents and customers who access your HappyFox accounts.
By default, HappyFox has whitelisted required sources/domains for basic functioning of the app. This includes in-built marketplace integrations of HappyFox Helpdesk, popular video hosting services (like Youtube, Vimeo, Wistia), and other required sources. Also, all images are allowed to be rendered in the HappyFox application.
Customizing CSP for each account: Admins will have to specify the sources they would like to whitelist so that content from these sources can be allowed while rendering in the UI. These sources could be a domain, scripts, style, images, font, directory or at a file path. Full list of sources that you can whitelist or allow can be found in the Source List Reference section.
CSP can be individually enabled for your Agent Portal and Support Center. This provides an opportunity for you to separately address what content is safe and allowed for your agents (who work on tickets in the staff portal) and your end customers (who use the Support Center for submitting tickets and accessing KB).
Enabling CSP in your HappyFox Account
HappyFox Admins who have access to Manage > Security will be able to configure this section. Goto Manage > Security > Content Security Policy.
You can individually choose to enable the CSP for agent portal and support center, based on its corresponding needs. Switch ON the toggles for Agent Portal and Support Center as per your need and Save.
Click the arrow for the corresponding segment to add the trusted domains. You can add sources for the following types: Script, Style, Connect, Font, Media, Frame, Default, Object, and Worker.
Provide the URLs for the respective sources (Separate urls by comma). A sample is shown below
What happens when a web request violates the policy?
Once CSP is applied, content only from the trusted sources will be allowed to be rendered in the UI. Any other external requests that require content to be shown will be blocked and NOT shown in the HappyFox account. This applies for both Agent portal and Support Center. You can visit the browser console to view the request details and its source domains. Reach out to your administrator and see if the domain needs to be added to the content security policy.
Frequently Asked Questions
- Will CSP block screenshots present in the incoming email? All images added by a contact will be rendered. These images could be local files uploaded or images belonging to an externally hosted site.
- Will videos be blocked by the CSP? All videos that are uploaded from files will be rendered. Inline videos hosted in YouTube, Vimeo and Wistia will be allowed by default. Videos embedded from other sites will not be allowed by default. However, admins can whitelist required sites using the CSP policy.
- Is CSP enabled in all HappyFox accounts? By default, the CSP in Agent Portal is enabled for all new accounts created since Jun-2022. However, The CSP feature is available for all HappyFox accounts. Admins can choose to enable it and leverage this feature.
- How does CSP handle links? As agents work on tickets, they generally encounter messages that contain links. These links could be images, videos that open in a new tab. In such cases, agents need to be cautious of the links that are being clicked. The scope of CSP is only for content that is rendered within the app (Agent portal and Support Center). Content that opens in a new tab (different domain) is outside the scope of CSP.
- Is there any impact for contacts to raise tickets from Support Center? No impact. Contacts can upload local images and videos from the support center of respective HappyFox accounts.
- Which browsers support CSP? Content Security Policy is supported by all the major modern browsers, and has been for many years. It is not supported in Internet Explorer. Click Here to check if your browser supports CSP. The list of browser versions that support CSP is available. Click Here to refer to the same.
- What are some typical scenarios where an account needs to configure CSP? Admins need to consider CSP whenever information from external sources are rendered in the UI while adding HTML.
Click Here to go through a working example of Content Security Policy