Content Security Policy

Content Security Policy (CSP) is a means by which a webserver can tell a browser certain things about what is meant to be allowed in a web page, and more importantly what isn't allowed. This is a mechanism that can help to reduce the risks associated with a range of web-based application vulnerabilities, but especially mixed content (mixed HTTPS and HTTP) and Cross Site Scripting (XSS).

A strongly-typed CSP header is included in responses from Intelligent Advisor Hub and Determinations Server. That is:

• To allow Intelligent Advisor Hub to function as is, the CSP includes the following directives:
  • script-src 'self' 'unsafe-inline': Only trust JavaScript resources downloaded from the same source as the response, or defined inline within the response.
  • style-src 'self' 'unsafe-inline': Only trust CSS resources downloaded from the same source as the response, or defined inline within the response.
  • img-src 'self' : Only trust image resources downloaded from the same source as the response.
  • block-all-mixed-content: Prevent resources from being downloaded via HTTP if the response was retrieved via HTTPS.
• To allow Determinations Server to function as is, the content security policy includes the following directives:
  • script-src 'self' 'unsafe-inline': Only trust JavaScript resources downloaded from the same source as the response, or defined inline within the response.
  • style-src 'self' 'unsafe-inline': Only trust CSS resources downloaded from the same source as the response, or defined inline within the response.
  • block-all-mixed-content: Prevent resources from being downloaded via HTTP if the response was retrieved via HTTPS.

No content security policy header is provided for Web Determinations as it would severely limit the ability of users to customize interviews.