This article gives you a working example of Content Security Policy (CSP) in HappyFox. If you are new to CSP in HappyFox, you can click here to go through the introductory article.
Let’s say an admin tries to embed external videos using iframes in the Signature section. HappyFox CSP would detect that an iframe or a script is being added and would throw a warning. These warnings are shown in the sections:- Agents Signature, Category Signature, Notifications, and KB Articles.
The warnings allow the admin to be cautious of the external domains that are being referred. And the admin is recommended to visit the Security > CSP section to add the domains in the required sources.
Another classing case is when an iframe or script is introduced in a KB article. For example, an agent might add a script based on a need to analyze usage in Google Analytics. In this case, too, the warning message is shown.
Firstly, iframes and scripts will be shown only if Allow Unsafe content toggle is switched ON. Beyond this, to restrict the iframes and scripts from specific domains/sources, the required source URLs need to be added in the content security policy > Agent Portal
Additionally, CSP would block the external content from being loaded in the UI. As a next step, the admin can open the browser console and identify the specific domain that is being blocked.
Having identified the domain, the agent/admin can now add the domain as an allowed source in the CSP module and save the changes.
Now, since the domain is added in the CSP module, the warning message and error in the console would not be displayed.
Tip: The content added in modules like Signature, Category Signature, External KB are consumed by the end users. Hence, when admins configure these modules to include external content, whitelisting of domains need to be added both in the Agent Portal CSP and the Support Center CSP.
Using the Report Only Mode
When the CSP Setting for the Agent portal or Contact portal is disabled, it means CSP is present in Report Only mode. This means, the HappyFox CSP will continue to check for external resources and make a note of it. While the content will be allowed to render in the UI, the browser console will still show the error messages and deviations. This can help admins to understand the external sources that are being referred to in their accounts. It is an effective tool to analyze the impact of CSP before enabling it. Your existing pages/content would not be affected when you are in the Report Only Mode.
Here is an example. The agent adds a video from an external source.
The agent/admin makes a note of the external domain name. He then adds it to the allowed sources in the CSP section. Once the domain is added, the system would not show the error message in the console
Tip: The sources can be added at any point in time. If CSP is enabled, then the system would check for content sources and restrict/allow content in UI as per the defined policy. If CSP is disabled (report only mode), the system would continue to check for deviations. However, it would allow the external content to be rendered and show the error message in the browser console.
Scenario 1 An agent authors a Knowledge Base
Let’s say the CSP header for the agent portal is enabled. When agents author knowledge base articles, there might be a need to include videos hosted in external sources. Or there might be a need to include an iframe.
Scenario 2 Admins setting up email Notification Templates
Let’s say the CSP header for the agent portal is enabled. While Setting up templates for email notification, there may be cases where external content (like images, videos, forms etc) are shown. To ensure the admin is able to create the required template, the external domains need to be added in the Content Security Policy section. Only then the template would fully load in the agent portal as required.
Scenario 3 End-user accessing a Knowledge Article
Let’s say the CSP header for the Support Center is enabled. A Knowledge Article that is authored in the agent portal can include external content. You might also use scripts and frameworks to render the articles in a specific manner. In other cases, the layout of the KB article is updated (to include content from external content) based on unique business needs.
In the above cases, when those domains are not explicitly allowed, the Content Security Policy will block the external information being loaded on the web page showing the Knowledge Article.
Scenario 4 Customer accesses your Customized Support Center
In such cases, it is critical to allow the required domains in the CSP module so that the end-users viewing your support center can access all the intended content.
By enabling CSP there is no data loss for the account. It only enhances security and provides a secure environment for your agents and end-users. Admins can choose to update the CSP settings in an incremental and iterative mode. If you have any queries in using the Content Security Policy module in HappyFox, please write to firstname.lastname@example.org