Content Security Policies and the Experience Cloud ID Service
Content Security Policy (CSP) - HTTP | MDN
In the above links and recommendations, whitelisting urls and scripts is a standard way of implementing CSP but is there a recommendation for implementing a CSP in AEM and would like to know if someone implemented and help me in implementing one.
-Sanjay
I haven't dealt with CSP yet, but typically you set the headers on the dispatcher (via webserver configuration). This assumes that the host list for the included files is quite static and doesn't change often. Then you can configure this list statically and you don't need to bother on an AEM side with it.
If you cannot hardcode this list (or if the dev team is tasked with it), I would create a servlet filter which adds this header for HTML pages. The list of the domains is still configured somewhere (e.g. OSGI or Sling Context Aware Configuration), but then maintained by the DEV team.
From my point of view there's not much magic in there, and implementing it should be straight forward.
Jörg
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
