Advisory: Content Security Policy

Content security policy is the standard that is created to prevent malicious content getting injected into trusted websites. For example, when a folder is shared by one user to another, hackers can upload a file into this share, with malicious content. When such file is opened/previewed by the user it can cause unintended behavior. 

Content Security Rule

FileCloud is shipping with a content security rule that will prevent these kind of attacks in FileCloud version 17 and later. This rule is specified in the file WWWROOT/.htaccess of every FileCloud installation.
Opening this file in text editor will show a rule as follows:

Header set Content-Security-Policy: "default-src 'self' *.live.com; style-src 'unsafe-inline' 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self';font-src 'self' data:;img-src 'self' data:"

In the above rule:

Rule SectionDescription
default-src 'self' *.live.com

This rule section will enforce javascript code getting loaded only from FileCloud server itself and *.live.com.
Note that live.com was added here to allow web editing by Office Online cloud.
If you use your own on-premises Office Online server, that has to be added here.

style-src 'unsafe-inline' 'self'
This rule section will enforce style elements only to be loaded from FileCloud server and those that are embedded in the web page.

script-src 'unsafe-inline' 'unsafe-eval' 'self'
This rule section will allow additional scripts embedded in the web page within <script> tag and scripts specified with eval function.
font-src 'self' data:
This rule section permits fonts to be loaded only from FileCloud server and the base64 encoded fonts embedded in the page.
img-src 'self' data:
This rule section permits images to be loaded only from FileCloud server and the base64 encoded fonts embedded in the page.