Title: Configuring a Content Security Policy for TeamPage
As of version 6.2.66, administrators can configure a Content Security Policy (CSP) for TeamPage. The applicable settings are under server settings > Network > Features / Tuning > Content Security.
Before adjusting this or TeamPage's other Content Security settings, it's important to have a working understanding of the policy and
TeamPage shows you the current value of the HTTP headers TeamPage will or would send (if CSP is not enabled) per the CSP, as currently configured:
If you choose "yes" for the "Enable Content Security Policy (CSP)" setting, more settings will appear.
The first two settings are related to reporting.
"Report Only" defaults to "yes" so that, initially at least, requests that would have violated the policy will not actually be blocked. This allows you both to test your policy -- you should see the violations logged in your browser's console -- or else to simply allow you audit the violations. You can change this setting to "no" to have compliant browsers actually block these violating requests.
Note that in order to actually receive CSP violation reports, you'll need to enter the URI of a reporting endpoint in the "Report To" setting. This can be a service you or your organization controls or for which it has contracted for (e.g., via a subscription service). If no report URI is present, the browser will probably display information about violations on the console, but will not otherwise report them.
There are also some settings you can use to adjust the allowed origins on a per source type basis.
Note that for each source type setting:
Some settings have a default value that includes references to Google domains. These are used for some built-in features, such as charts and other capabilities in TeamPage. You can elect to remove them, but some features may be missing or only partly functional.
There is a list of "hard-coded" sources. In order for TeamPage to function properly, these are always going to be included, regardless of what you enter for the setting value.
There is also a list of sources from plug-ins, listed on a per plug-in basis so you can tell which plug-ins are declaring them as dependencies. These are declared by plug-in developers as being required for plug-in features to function, so if you don't want to accept them, you'll have to disable or uninstall the associated plug-ins.
If you're not sure what values to add for each setting, you can experiment by leaving the CSP in report-only mode, and seeing whether your browser console (or reporting system, if you have one) give you any insights into what other sources may be necessary or useful to include. You don't have to take the CSP out of report-only mode until you're ready.