Content-Security-Policy (CSP) is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict resources such as JavaScript, CSS, or pretty much anything that the browser loads”. Content Security Policies can be enabled in your Service Desk accounts. This article will give you an overview of CSP and how it can be enabled in your Service Desk account. Click Here to know more on Content Security Policy
Benefits of Content Security Policy
Having Content Security Policy enabled ensures a safe and secure environment for your end users to use the Service Desk.
-
Create a secure environment for your end-users. It prevents your browser from loading unsafe code/script/style.
-
Mitigate against malicious web attacks. These include Cross Site Scripting (XSS), card skimming, session hijacking, code injection, clickjacking, and more.
Account Policies
- By enabling CSP, Service Desk administrators allow external content (like videos/scripts) from only specific domains to be loaded in their accounts. This ensures an additional layer of security providing a safe environment for your agents and requesters who access your Service Desk accounts.
- By default, Service Desk has whitelisted required sources/domains for basic functioning of the app. This includes in-built marketplace integrations like popular video hosting services (Youtube, Vimeo, Wistia), and other required sources. Also, all images are allowed to be rendered in the Service Desk.
- Customizing CSP for each account: Admins will have to specify the sources they would like to whitelist so that content from these sources can be allowed while rendering in the UI. These sources could be a domain, scripts, style, images, font, directory or at a file path. Full list of sources that you can whitelist or allow can be found in the Source List Reference section.
- CSP can be individually enabled for your Agent Portal and Support Center. This provides an opportunity for you to separately address what content is safe and allowed for your agents (who work on incidents and requests in the service desk) and your requesters (who use the Support Center for submitting incidents, service requests and accessing Knowledge Base articles).
How to enable CSP in your Service Desk?
- Admins who have access to Manage > Security will be able to configure this section. Navigate to Manage > Security > Content Security Policy tab.
- You can individually choose to enable the CSP for agent portal and support center, based on your needs. Switch ON the toggle for Agent Portal and Support Center and Save.
- Click the arrow for the corresponding segment to add the trusted domains. You can add sources for the following types: Script, Style, Connect, Font, Media, Frame, Default, Object, and Worker.
- Provide the URLs for the respective sources (Separate urls by comma). A sample is shown below
What happens when a web request violates the policy?
Once CSP is applied, content only from the trusted sources will be allowed to be rendered in the UI. Any other external requests that require content to be shown will be blocked and NOT shown in the Service Desk account. This applies for both Agent portal and Support Center. You can visit the browser console to view the request details and its source domains. Reach out to your administrator and see if the domain needs to be added to the content security policy.
Frequently Asked Questions
Will CSP block screenshots present in the incoming email?
All images added by a requesters will be rendered. These images could be local files uploaded or images belonging to an externally hosted site.
Will videos be blocked by the CSP?
All videos that are uploaded from files will be rendered. Inline videos hosted in YouTube, Vimeo and Wistia will be allowed by default. Videos embedded from other sites will not be allowed by default. However, admins can whitelist required sites using the CSP policy.
Is CSP enabled in all Service Desk accounts?
The CSP feature is available for all Service Desk accounts. Admins can choose to enable it and leverage this feature for their Service Desk.
How does CSP handle links?
As agents work on incidents, they generally encounter messages that may contain links. These links could be images, videos that open in a new tab. In such cases, agents need to be cautious of the links that are being clicked. The scope of CSP is only for content that is rendered within the app (Agent portal and Support Center). Content that opens in a new tab (different domain) is outside the scope of CSP.
Is there any impact for requesters to raise incidents from the Support Center?
No impact. Requesters can upload local images and videos from the support center of respective Service Desk accounts.
Which browsers support CSP?
Content Security Policy is supported by all the major modern browsers, and has been for many years. It is not supported in Internet Explorer. Click Here to check if your browser supports CSP. The list of browser versions that support CSP is available. Click Here to refer to the same.
What are some typical scenarios where an account needs to configure CSP?
Admins need to consider CSP whenever information from external sources are rendered in the UI while adding HTML.
Click Here to go through a working example of Content Security Policy