Share
Report
5Hi,
I have been reviewing the security controls relating to a Dynamics 365 Finance and Operations installation and I have noticed that there is a lack of Content Security Policy browser directives in the content.
Only "Content-Security-Policy: frame-ancestors 'self'" appears to be active, but we would typically want to define other CSP directives to remove directive ambiguity i.e., missing CSP Directives, with no fall-back.
As I don't operate the environment, is there a config setting where CSP directives can be individually activated? We allow our users to use Edge, Chrome and Firefox to interact with Dynamics 365, therefore want to provide more contemporary security directives to the client browsers connecting to the service.
What settings exist or is there a recommended approach to implement more granular CSP directives, without breaking any Dynamics 365 content?
Example CSP directive:
- plugin-types
- report-uri
- referrer
- form-action
- base-uri
- sandbox
- reflected-xss
Other References:
- https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- https://csp.withgoogle.com/docs/strict-csp.html
- https://github.blog/2017-01-19-githubs-post-csp-journey/
- https://ccsecuritytraining.com/bypassing-csp-via-ajax-googleapis-com/
- https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22
All responses (
Answers (
