Advisory: Content Security Policy
Content security policy is the standard that is created to prevent malicious content getting injected into trusted websites. For example, when a folder is shared by one user to another, hackers can upload a file into this share, with malicious content. When such file is opened/previewed by the user it can cause unintended behavior.
Content Security Rule
FileCloud is shipping with a content security rule that will prevent these kind of attacks in FileCloud version 17 and later. This rule is specified in the file WWWROOT/.htaccess of every FileCloud installation.
Opening this file in text editor will show a rule as follows:
Header set Content-Security-Policy: "default-src 'self' *.live.com; style-src 'unsafe-inline' 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self';font-src 'self' data:;img-src 'self' data:"
In the above rule:
| Rule Section | Description |
|---|---|
default-src 'self' *.live.com | This rule section will enforce javascript code getting loaded only from FileCloud server itself and *.live.com. |
style-src 'unsafe-inline' 'self' | This rule section will enforce style elements only to be loaded from FileCloud server and those that are embedded in the web page. |
script-src 'unsafe-inline' 'unsafe-eval' 'self' | This rule section will allow additional scripts embedded in the web page within <script> tag and scripts specified with eval function. |
font-src 'self' data: | This rule section permits fonts to be loaded only from FileCloud server and the base64 encoded fonts embedded in the page. |
img-src 'self' data: | This rule section permits images to be loaded only from FileCloud server and the base64 encoded fonts embedded in the page. |