XSS Security Options
This page describes the Web options for the XSS Security options group. With the exception of XSS_WEB_PROXY, these options are used to configure your Content-Security-Policy header so that your third-party integrations in WebPAC and Encore function correctly.
CSP_CONNECT_SRC_HOSTS
This option specifies the URLs that can be loaded using script interfaces. The format is a space-delimited list of host names:
CSP_CONNECT_SRC_HOSTS=<host_name1> <host_name2> ...
For example:
CSP_CONNECT_SRC_HOSTS=https://www.google-analytics.com
This value is inserted into the connect-src directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.
You must restart the HTTP server for your changes to this Web option to take effect.
CSP_DEFAULT_SRC_HOSTS
This option is used for fetch requests that are not covered by another CSP directive. The format is a space-delimited list of host names:
CSP_DEFAULT_SRC_HOSTS=<host_name1> <host_name2> ...
For example:
CSP_DEFAULT_SRC_HOSTS=https://syndetics.com https://ltfl.librarything.com https://librarian.syndetics.com
This value is inserted into the default-src directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.
You must restart the HTTP server for your changes to this Web option to take effect.
CSP_FORM_ACTION_HOSTS
This option specifies the URLs that can be used as the target of form submissions from a given context. The format is a space-delimited list of host names:
CSP_FORM_ACTION_HOSTS=<host_name1> <host_name2> ...
This value is inserted into the form-action directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.
CSP_SCRIPT_SRC_HOSTS
This option specifies valid sources for JavaScript. The format is a space-delimited list of host names:
CSP_SCRIPT_SRC_HOSTS=<host_name1> <host_name2> ...
For example:
CSP_SCRIPT_SRC_HOSTS=https://syndetics.com https://wowbrary.org
This value is inserted into the script-src directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.
You must restart the HTTP server for your changes to this Web option to take effect.
XSS_WEB_PROXY
Do not set this Web option unless instructed by Innovative staff.
This option modifies proxy requests for certain Web Access Management setups.
Using the Content Security Policy Web Options
Starting in Sierra 6.3 and Encore 6.2, Innovative introduced an enhanced Content Security Policy (CSP). This policy might prevent some integrations that your library previously added to WebPAC and Encore from functioning correctly (for example, the scripts for third-party features like Syndetics, NoveList, Wowbrary, Vega showcases, Google Analytics, and so on might be blocked). The CSP Web options allow the webmaster at your organization to restore these integrations.
How to Use the CSP Web Options
When your library upgrades to Sierra 6.3, Innovative recommends reviewing the pages in WebPAC and Encore where your library has added third-party integrations. If there is content that is not appearing, you can use your web browser's developer tools to find the Content Security Policy violation that is causing the issue. This information lists which directive has been violated.
Once you know which directive is involved, you can add the host name to the corresponding CSP Web option to restore the missing content. After making a change to any of the CSP Web options, you must restart the HTTP server for the change to take effect.
You upgrade to Sierra 6.3 and notice that your integration with Google Tag Manager is no longer working. When you open your browser's developer's tools, you find the following error:
Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at https://www.googletagmanager.com/gtag/js?id=G-T145MDLXMQ&cx=c&_slc=1 from being executed because it violates the following directive: “script-src 'unsafe-inline' 'unsafe-eval' 'self' https://data.pendo.io/ https://cdn.pendo.io https://vega-widgets.s3.us-east-2.amazonaws.com https://wowbrary.org https://google.com https://*.google.com https://maps.googleapis.com https://ebscohost.com https://*.ebscohost.com https://cdn.appdynamics.com https://prototypejs.org https://o.aolcdn.com https://s7.addthis.com https://www.google-analytics.com”
The page is trying to load a script from a host name that is not allowed and violates the script-src directive (marked in bold in the example). To restore this integration, you must add the host name (https://www.googletagmanager.com) to the corresponding Web option (CSP_SCRIPT_SRC_HOSTS).
Restoring a missing resource can be an iterative process. The browser provides information for the first CSP violation it encounters. After you change the relevant Web option and restart the HTTP server, that resource could call another host name (for example, you unblock a script, but the script calls content at a different host name that is still blocked). You must then resolve the next CSP violation.
How the CSP Web Options Settings are Added to Headers
Sierra adds some host names to the Content-Security-Policy header directives by default (for example, "https://google.com" to the script_src directive). When you use the CSP Web options to add additional host names, the system inserts them into the existing list. The system does not overwrite any default entries.
Continuing the example from above, after you restore the integration with Google Tag Manager (by adding "https://www.googletagmanager.com" to the CSP_SCRIPT_SRC_HOSTS Web option), the Content-Security-Policy header might look similar to the following:
Content-Security-Policy: default-src 'self' fake.library.gov; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://data.pendo.io/ https://cdn.pendo.io https://vega-widgets.s3.us-east-2.amazonaws.com https://wowbrary.org https://google.com https://*.google.com https://maps.googleapis.com https://ebscohost.com https://*.ebscohost.com https://cdn.appdynamics.com https://prototypejs.org https://o.aolcdn.com https://s7.addthis.com https://www.google-analytics.com https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com https://fake.library.iiivega.com; upgrade-insecure-requests; block-all-mixed-content; style-src 'unsafe-inline' https:; img-src https: blob: data:; media-src https: blob: data:; font-src https: data:; object-src 'none';