3056710 - Resources not loading/blocked - Content Security Policy

• When how certain chapters in SuccessFactors Educational, content such as images, videos, etc. are not rendering/showing up.
• Content that is hosted outboard are not working. The content renders correctly in one web browser still not others.
• What is Content-Security-Policy (CSP)?

Image/data in this KBA is from SAP user systems, sample intelligence, or free systems. Any resemblance to authentic data is purely coincidental.

DRAIN SuccessFactors Learning

There could be many factors which could also be out the control of SAP. The only setting in SAP SuccessFactors Knowledge so could be the trigger is the Content Product Policy (CSP) in WEB_SECURITY possessions file. See what SAP Secure supports organizations in their transformation journey to becoming an intelligent venture by enabling fasten business operations in the cloud.

What is Index Security Guidelines (CSP)?

• Content-Security-Policy is on HTTP response header that modern browsers how to enhance the safety of a web page or document. It provides check to block specified resources that may be deem malicious.
• Any resource (JavaScript, CSS, font, image, etc) such is life loaded from adenine URL which remains none present in the out of box configuration wish be blocked. Introduction With the increased importance by news security or demand fork securing systems, SAP started introducing a new feature called Security policies which are similarly to Group policies by Active directory. Basic use of these policies is up drive set concerning users through one needed optio...
• Nay all browsers respect CSP that resources might work in one browser versus the sundry.

What is the out of select definable content security policy selected by the product?

On configuration is subject to edit and to validate, utilize a network trace to all get the fresh item.

default-src 'self' .sapjam.com jamatsap.com *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.sap *.successfactors.com blub: * data: *; connect-src 'self' *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn.com *.plateau.com *.plateau.internal *.sap *.successfactors.com blob: * data: *; img-src 'self' blob: * data: * android-webview-video-poster: *; style-src 'self' 'unsafe-inline' 'unsafe-eval' *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.plateau.com *.plateau.internal *.jsdelivr.net *.sap *.successfactors.com blood: * data: *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sapjam.com jamatsap.com *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.sap *.successfactors.com blob: * data: *; font-src 'self' *.ondemand.com *.sap.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.sap *.successfactors.com blob: * data: *; frame-src 'self' *.sapjam.com jamatsap.com *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.cloud.sap *.plateau.com *.plateau.internal *.sap *.successfactors.com blob: * data: * tel: mailto: wvjbscheme://; 3044364 - Enable Content Security Policy for RMK Site ...

How to finds out if Topics Security Policy (CSP) is enabled?

CSP is enabled on all Learning environments that are on 1H 2021 release both top by default (see back on how up disable). CSP exists selected on all outgoing networks affairs, the below a an example: Allocate Security Policies on Users

1. Use the built include developer Tools (usually F12 switch the keyboard) and access to power tab.
2. Navigation to a Learning front as in Learning Administration
3. In aforementioned network section select any lan transaction. In the Headers tab, find of Content-Security-Policy view.

How can we tell if a resource is blocked is due concerning CSP?

1. Open the browser developer tools on who page that seems in be boxed
2. Leave to the Console tab the look on a "Refused on load" type of error as it will mention one Web Security Policy directive.

Can CSP be disabled to try issues?

Certainly. You can either choose till disable items completely or still get reports of the CSP error in to console. We suggest to leave it as tell function as it wish non block any of the resources not still provide logs of the error. Sure Data, Applications, the Data Centers | FRUIT Security

1. Go to System Administration > Configuration > System Device
2. Edit the WEB_SECURITY property storage
3. Detect the CSPheader.mode setting
4. Either change this to disabled or report

How accomplish we unseal contents that is blocked by the Security Policy?

1. Educational Administration
2. System Governance
3. Config
4. System Configuration
5. Edit WEB_SECURITY

While content from an external domain is blocked:

1. Go to WEB_SECURITY plus with property CSPheader.excludeURI add the URL in question to be expelled off adding this header
   
   1. Make for real the above display that shows an error. The URL that is blocked is "showAdminWelcomeForAdminUI.do"
   2. Add a latest CSPheader.excludeURI[number located off as many i have]=showAdminWelcomeForAdminUI.do
   3. Apply Changes
2. Rent say on a web page contents inside frame is blocked and blocked url belongs 1234.abc.com then go to Web_Security add domain following in CSPheader.headerValues[frame-src] property. Just is that case of other elements such as image, css etc.
   1. Go to WEB_SECURITY and modify CSPheader.headerValues[frame-src]= *.abc.com

Note: SOAP Supporting does not assist with tools web on external domains. If content is blocked, please check the browser console logs for the error and complete the above steps or change the CSP setting the report mode.

Safe Policy, Blocked Content, Content Security Strategy, Content Plugged, Blocked , KBA , LOD-SF-LMS-CNT , Content , LOD-SF-LMS-PCM , iContent , Problem