Content Security Policy
Mango is capable of using Content Security Policies (CSP) for improved security. CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. The basic idea is that Mango will tell your browser which locations it can access and trust.
There are 2 areas that can have policies applied, the legacy UI and the HTML5 UI. Both are available to configure via the env.properties file. There are examples of how to configure these provided in the file. They are both disabled by default.
Some basic examples are given in the env.properties file, for the HTML 5 UI:
style-src 'unsafe-inline' - inline styles are used by AngularJS Material for the dynamic theming
script-src 'unsafe-eval' - needed by Fabric.js used in amCharts for drawing on charts, also gives AngularJS a 30% performance boost
script-src https://cdnjs.cloudflare.com - needed for AngularJS to load locale files from the internet
connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname
img-src data: - allows for small base64 encoded images to be embedded inline into the html
img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics
img-src/script-src https://maps.google.com https://maps.googleapis.com https://maps.gstatic.com - allows for using the Google maps component
style-src/font-src https://fonts.googleapis.com https://fonts.gstatic.com - allows for using Google fonts in dashboards
For the legacy UI:
script-src 'unsafe-inline' - inline scripts are used extensively throughout the Mango legacy UI
script-src 'unsafe-eval' - The Dojo JS library uses eval()
style-src 'unsafe-inline' - inline styles are used throughout the Mango legacy UI
connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname
img-src data: - allows for small base64 encoded images to be embedded inline into the html
img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics
See here for more information.