In order to use Content-Security-Policy (CSP) response headers with Information Centric Analytics (ICA), the procedure provided in the Resolution of this document must first be implemented.

Per Mozilla:

HTTP Content-Security-Policy (CSP) response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks.

Release : 6.5.x

Component : IIS

The following procedure will enable the use of CSP headers with ICA. We recommend first testing this procedure in a development environment. To implement, follow this procedure:

1. In SQL Server Management Studio (SSMS), connect to the database engine hosting the ICA RiskFabric database
2. Navigate to Databases > Risk Fabric
3. Right-click the RiskFabric database and select New Query
4. Copy the following statement and paste it in the new query editor window:

   USE RiskFabric;
   GO
   MERGE dbo.PortalSettings TARGET 
   USING (VALUES 
   ('CorsEnabled', '1', 'bool'),
   ('CorsOrigins', 'http://localhost:80', 'string'),
   ('CorsHeaders', 'Accept, Content-Type, X-Requested-With', 'string'),
   ('CorsMethods', 'GET, POST, OPTIONS', 'string')
   ) AS SOURCE (Name, Value, ValueType) ON (TARGET.Name = SOURCE.Name)
   WHEN NOT MATCHED THEN INSERT (Name, Value, ValueType) VALUES (SOURCE.Name, SOURCE.Value, SOURCE.ValueType)
   WHEN MATCHED THEN UPDATE SET Value = SOURCE.Value;

5. Execute the query by pressing the F5 key or selecting Execute from the Query menu
6. Open the Services application on the ICA web server
7. Locate the World Wide Web Publishing Service
8. Right-click the World Wide Web Publishing Service and select Restart
9. In a browser, refresh/reload the ICA web console to reflect the change