wcs_properties.json file:Properties in the Security category determine how security is configured on both the management and the delivery systems. Before developers design the online site or make changes to the user interface on the management system, you must implement your security protocols using the Security properties in the WebCenter Sites wcs_properties.json file.
Additionally, Security properties with the sub category Content Security allow you to configure content security protection for websites developed through WebCenter Sites. Content Security is a standard which enables you to determine whether pages returned by the browser can be embedded inside an iframe of some other website. For detailed information about Content Security, see the specification documentation about the Content Security Policy.
Table 14-1 provides a description for each of the properties in the JSON file associated with the Security category.
Table 14-1 Security Properties
| Property | Description |
|---|---|
connect-src |
List of URIs the protected resource can load using script interfaces. Subcategory: Content Security |
contentsecurity.enabled |
Set the value to Default value: Subcategory: Content Security |
|
Specifies a comma-separated list of attributes that a user is allowed to modify. Currently, only For complete backward compatibility, set the property to blank to ensure that the user has write privileges to the Default value: |
|
default-src |
Comma-separated source list of default directives. For example: Subcategory: Content Security |
frame-ancestors |
Allowed hosts for embedding protected resource in iframes. Possible values:
|
|
Specifies variable names that are used as passwords and should be suppressed when ft.suppressPasswords is set to The Cheetah installer now sets this property to: Default value: |
|
|
Prevents any input or session variables containing the strings " Default value: Specify |
|
img-src |
Restricts from where the protected resource can load images. Subcategory: Content Security |
object-src |
Restricts from where the protected resource can load plugins. Possible values:
Subcategory: Content Security |
script-src |
Restricts which scripts the protected resource can execute. Subcategory: Content Security |
wcsites.encodeTemplateParams |
Contains a Boolean value that enables encoding of default template parameters, such as Possible values:
Default value: |
|
Defines the element used for managing the roles that users fulfill on sites in WebCenter Sites. Default value: |
|
|
Contains a comma-separated list of functions for which permissions can be generated on an asset. If the value is empty, all possible functions will be displayed. Additional system-defined functions can be added to the list of default functions. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to abstain from voting when assigned assets as part of the workflow process. Default value: blank |
|
|
Contains a comma-separated list of roles that are not allowed to approve assets for publishing. Default value: blank |
|
|
Contains a comma-separated list of roles that are not allowed to authorize privileges on assets. Default value: blank |
|
|
Contains a comma-separated list of roles that are not allowed to build Collection assets. Default value: blank |
|
|
Contains a comma-separated list of roles that are not allowed to checkout assets explicitly from the revision tracking system. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to copy assets. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to delegate assigned assets to other participants in the workflow. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to delete assets. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to edit assets. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to inspect assets. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to create a site navigation by copying and pasting an existing site navigation in the SitePlan tree. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to place Page assets in the SitePlan tree. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to preview assets with their templates. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to remove assets from a workflow group. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to remove assets from workflow. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to roll back assets to a previous version. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to set export to disk (static publishing) starting point. These users may still be allowed to approve and publish assets if some other users set the starting point. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to set nested workflow. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to set participants for workflow. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to set workflow process deadlines. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to set a deadline on a workflow step. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to share assets with other sites (other than the site the asset was originally created in). Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to see the participants for a workflow. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to see the status screen for assets. The Status option is available in the View menu when you have an asset open in the Oracle WebCenter Sites: Contributor interface. The Status page shows workflow and publishing information about the open asset. If the user belongs to one of the roles that is being denied the privilege to view the Status page, the Status option will be grayed out in the View menu. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to see the list of versions for an asset. Note: The Show versions icon is not displayed on the asset's toolbar if the user belongs to one of the roles that is denied the privilege. Default value: |
|
|
Contains a comma-separated list of roles that are not allowed to translate assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to abstain from voting when assigned assets as part of the workflow process. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to approve assets for publishing. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to authorize privileges on assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to build Collection assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to checkout assets from the revision tracking system. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to copy assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to delegate assigned assets to other participants in the workflow. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to delete assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to edit assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to inspect assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to translate assets. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to place Page assets in the SitePlan tree. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to preview assets with their templates. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to remove assets from a workflow group. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to remove assets from workflow. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to roll back assets to a previous version. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to set an export to disk (static publishing) starting point. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to set nested workflow. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to set participants for workflow. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to set workflow process deadlines. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to set a deadline on a workflow step. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to share assets with other sites (other than the site the asset was originally created in). Default value: |
|
|
Contains a comma-separated list of roles that are allowed to see the participants for a workflow. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to see the status screen for assets. The Status option is available in the View menu when you have an asset open in the Contributor interface. The Status page shows workflow and publishing information about the open asset. If the user belongs to one of the roles that is being granted the privilege to view the Status page, the Status option will be grayed out in the View menu. Default value: |
|
|
Contains a comma-separated list of roles that are allowed to see the list of versions for an asset. Note: The Show versions icon is displayed on the asset's toolbar if the user belongs to one of the roles that is granted the privilege. Default value: |
|
|
Specifies the X-XSS-Protection HTTP response header that allows the web server to enable or disable the web browser's XSS protection mechanism. The following list provides the possible values and the respective implications of setting the value: Possible values:
Default value: Subcategory: General |
|
|
Specifies the Anti-MIME-Sniffing header X-Content-Type-Options. Default value: Subcategory: General |