Draft version 7 Feb 2022
Table of Contents
General Information
Finna supports integration of external services, such as chat and library map providers. These services are typically JavaScript-driven and display content inside Finna. This document outlines some guidelines and recommendations on integration of these services.
Content Security Policy
By default Finna enforces a strict Content Security Policy (CSP) to protect users from e.g. XSS attacks. The CSP can be customized according to the needs of each Finna view.
Recommendations
These are our recommendations for external services:
- Document the CSP rules the service needs.
- Include required sources for fonts, media etc. in the documentation.
- Make sure the document is up to date.
- Avoid too broad and unsafe rules as well as rules that don't work on all common browsers. See below for specifics.
- Avoid a large set of rules. Each rule increases the length of the headers sent by Finna.
- Avoid requiring services that may contain user-created scripts.
- A bootstrapper script should be the only script that needs to be inlined (with a security nonce that allows it to be run).
- If the service really requires injecting inline script to the page, its bootstrapper should support specifying the nonce attribute that is added to inline scripts so that they are allowed to run (see unsafe-inline below).
Specific script-src rules that should be avoided
- unsafe-eval (eval command should be avoided)
- unsafe-hashes
- unsafe-inline (see above)
- strict-dynamic (useful, but does not work with Safari)
Further Information on Content Security Policy
https://vufind.org/wiki/administration:security:content_security_policy (VuFind Documentation)
https://content-security-policy.com/
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy