XSS Security Options

This page describes the Web options for the XSS Security options group. With the exception of XSS_WEB_PROXY, these options are used to configure your Content-Security-Policy header so that your third-party integrations in WebPAC and Encore function correctly.

CSP_CONNECT_SRC_HOSTS

This Web option is available in Sierra 6.3 and later. If you want to change the setting of this Web option on the Encore server, contact Innovative.

This option specifies the URLs that can be loaded using script interfaces. The format is a space-delimited list of host names:

CSP_CONNECT_SRC_HOSTS=<host_name1> <host_name2> ...

For example:

CSP_CONNECT_SRC_HOSTS=https://www.google-analytics.com

This value is inserted into the connect-src directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.

You must restart the HTTP server for your changes to this Web option to take effect.

CSP_DEFAULT_SRC_HOSTS

This Web option is available in Sierra 6.3 and later. If you want to change the setting of this Web option on the Encore server, contact Innovative.

This option is used for fetch requests that are not covered by another CSP directive. The format is a space-delimited list of host names:

CSP_DEFAULT_SRC_HOSTS=<host_name1> <host_name2> ...

For example:

CSP_DEFAULT_SRC_HOSTS=https://syndetics.com https://ltfl.librarything.com https://librarian.syndetics.com

This value is inserted into the default-src directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.

You must restart the HTTP server for your changes to this Web option to take effect.

CSP_FORM_ACTION_HOSTS

This Web option is available in Sierra 6.3 and later, but affects the Encore server only. (WebPAC does not generate the form-action directive and therefore does not use this Web option.) To change the value of this Web option, contact Innovative. After changing the value, Innovative staff will restart the HTTP server for Encore.

This option specifies the URLs that can be used as the target of form submissions from a given context. The format is a space-delimited list of host names:

CSP_FORM_ACTION_HOSTS=<host_name1> <host_name2> ...

This value is inserted into the form-action directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.

CSP_SCRIPT_SRC_HOSTS

This Web option is available in Sierra 6.3 and later. If you want to change the setting of this Web option on the Encore server, contact Innovative.

This option specifies valid sources for JavaScript. The format is a space-delimited list of host names:

CSP_SCRIPT_SRC_HOSTS=<host_name1> <host_name2> ...

For example:

CSP_SCRIPT_SRC_HOSTS=https://syndetics.com https://wowbrary.org

This value is inserted into the script-src directive in the Content-Security-Policy header. See Using the Content Security Policy Web Options below for more information.

You must restart the HTTP server for your changes to this Web option to take effect.

XSS_WEB_PROXY

Do not set this Web option unless instructed by Innovative staff.

This option modifies proxy requests for certain Web Access Management setups.

Using the Content Security Policy Web Options

Starting in Sierra 6.3 and Encore 6.2, Innovative introduced an enhanced Content Security Policy (CSP). This policy might prevent some integrations that your library previously added to WebPAC and Encore from functioning correctly (for example, the scripts for third-party features like Syndetics, NoveList, Wowbrary, Vega showcases, Google Analytics, and so on might be blocked). The CSP Web options allow the webmaster at your organization to restore these integrations.

How to Use the CSP Web Options

When your library upgrades to Sierra 6.3, Innovative recommends reviewing the pages in WebPAC and Encore where your library has added third-party integrations. If there is content that is not appearing, you can use your web browser's developer tools to find the Content Security Policy violation that is causing the issue. This information lists which directive has been violated.

Once you know which directive is involved, you can add the host name to the corresponding CSP Web option to restore the missing content. After making a change to any of the CSP Web options, you must restart the HTTP server for the change to take effect.

Restoring a missing resource can be an iterative process. The browser provides information for the first CSP violation it encounters. After you change the relevant Web option and restart the HTTP server, that resource could call another host name (for example, you unblock a script, but the script calls content at a different host name that is still blocked). You must then resolve the next CSP violation.

How the CSP Web Options Settings are Added to Headers

Sierra adds some host names to the Content-Security-Policy header directives by default (for example, "https://google.com" to the script_src directive). When you use the CSP Web options to add additional host names, the system inserts them into the existing list. The system does not overwrite any default entries.

Continuing the example from above, after you restore the integration with Google Tag Manager (by adding "https://www.googletagmanager.com" to the CSP_SCRIPT_SRC_HOSTS Web option), the Content-Security-Policy header might look similar to the following:

Content-Security-Policy: default-src 'self' fake.library.gov; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://data.pendo.io/ https://cdn.pendo.io https://vega-widgets.s3.us-east-2.amazonaws.com https://wowbrary.org https://google.com https://*.google.com https://maps.googleapis.com https://ebscohost.com https://*.ebscohost.com https://cdn.appdynamics.com https://prototypejs.org https://o.aolcdn.com https://s7.addthis.com https://www.google-analytics.com https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com https://fake.library.iiivega.com; upgrade-insecure-requests; block-all-mixed-content; style-src 'unsafe-inline' https:; img-src https: blob: data:; media-src https: blob: data:; font-src https: data:; object-src 'none';