Content-Security-Policy
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. CSP enables server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. A CSP compatible browser will then only show embedded components when the parent page is from one of the whitelisted domains.
Configuring CSP in the Grid
The Grid can be configured to send the frame-ancestors directive by using Grid properties. See the Infor ION Grid Administration Guide for details on configuring Grid properties.
-
grid.http.csp.frameAncestorsEnabled – This property defines whether the header should be sent or not.
-
grid.http.csp.frameAncestorsList – This property is a list of domains that are permitted to embed the resource. If CSP is enabled and this property is not set or empty, only its own domain may embed resources.
To learn about Content Security Policy frame-ancestors, see https://www.w3.org/TR/CSP2/