Edit online

How to Configure Content Security Policy for Plugins

Plugins can contribute to the Content Security Policy (CSP). For more information about the Content Security Policy, see Content Security Policy (CSP) and https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

To allow a plugin to contribute to the Content Security Policy, you can:
  • Implement a CspProviderExtension:
    1. Create a class that implements ro.sync.exml.plugin.workspace.security.CspProviderExtension.
    2. Reference the class in your plugin.xml file:
    <extension type="Csp" class="com.example.ClassName"/>
  • Set the CSP for Static Resources:
    <extension type="WebappStaticResourcesFolder" path="path/to/folder" 
csp="default-src 'self' www.google.com; style-src 'self' 'unsafe-inline';"/>

    where the value of the csp property is the value of the Content Security Policy header.

  • Set the CSP directly on the response:
    resp.setHeader("Content-Security-Policy", "default-src 'self';");
    If you are implementing an extension of type WebappServlet or a WebappServletFilter you can set the Content-Security-Policy of the response.