Content Security Policy

Mango is capable of using Content Security Policies (CSP) for improved security.  CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.  The basic idea is that Mango will tell your browser which locations it can access and trust.

There are 2 areas that can have policies applied, the legacy UI and the HTML5 UI.  Both are available to configure via the env.properties file.  There are examples of how to configure these provided in the file.  They are both disabled by default

Some basic examples are given in the env.properties file, for the HTML 5 UI:

style-src 'unsafe-inline' - inline styles are used by AngularJS Material for the dynamic theming

script-src 'unsafe-eval' - needed by Fabric.js used in amCharts for drawing on charts, also gives AngularJS a 30% performance boost

script-src https://cdnjs.cloudflare.com - needed for AngularJS to load locale files from the internet

connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname

img-src data: - allows for small base64 encoded images to be embedded inline into the html

img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics

img-src/script-src https://maps.google.com https://maps.googleapis.com https://maps.gstatic.com - allows for using the Google maps component

style-src/font-src https://fonts.googleapis.com https://fonts.gstatic.com - allows for using Google fonts in dashboards

For the legacy UI:

script-src 'unsafe-inline' - inline scripts are used extensively throughout the Mango legacy UI

script-src 'unsafe-eval' - The Dojo JS library uses eval()

style-src 'unsafe-inline' - inline styles are used throughout the Mango legacy UI

connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname

img-src data: - allows for small base64 encoded images to be embedded inline into the html

img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics

See here for more information.