SAP Knowledge Base Article - Public

3056710 - Resources not loading/blocked - Content Security Policy

Symptom

  • When accessing certain sections in SuccessFactors Learning, content such as images, videos, etc. are not rendering/showing up.
  • Content that is hosted externally is not working. The content renders correctly in one web browser but not others.
  • What is Content-Security-Policy (CSP)?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors Learning

Cause

There could be many factors which could also be outside the control of SAP. The only setting in SAP SuccessFactors Learning that could be the cause is the Content Security Policy (CSP) in WEB_SECURITY property file.

Resolution

What is Content Security Policy (CSP)?

  • Content-Security-Policy is an HTTP response header that modern browsers use to enhance the security of a web page or document. It provides control to block certain resources that could be deemed malicious.
  • Any resource (JavaScript, CSS, font, image, etc) that is being loaded from a URL which is not present in the out of box configuration will be blocked.
  • Not all browsers respect CSP thus resources might work in one browser versus the other.

What is the out of box defined content security policy defined by the product?

This configuration is subject to change and to validate, utilize a network trace to always get the latest list.

default-src 'self' .sapjam.com jamatsap.com *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.sap *.successfactors.com blob: * data: *; connect-src 'self' *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn.com *.plateau.com *.plateau.internal *.sap *.successfactors.com blob: * data: *; img-src 'self' blob: * data: * android-webview-video-poster: *; style-src 'self' 'unsafe-inline' 'unsafe-eval' *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.plateau.com *.plateau.internal *.jsdelivr.net *.sap *.successfactors.com blob: * data: *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sapjam.com jamatsap.com *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.sap *.successfactors.com blob: * data: *; font-src 'self' *.ondemand.com *.sap.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.sap *.successfactors.com blob: * data: *; frame-src 'self' *.sapjam.com jamatsap.com *.ondemand.com *.sapsf.com *.sapsf.eu *.sapsf.cn *.cloud.sap *.plateau.com *.plateau.internal *.sap *.successfactors.com blob: * data: * tel: mailto: wvjbscheme://;

How to find out if Content Security Policy (CSP) is enabled?

CSP is enabled on all Learning environments that are on 1H 2021 release and above by default (see below on how to disable). CSP is enabled on all outgoing network transactions, the below is an example:

  1. Use the built in developer Tools (usually F12 on the keyboard) and access the network tab.
  2. Navigate to a Learning page such as Learning Administration
  3. In the network section select any network transaction. In the Headers tab, find the Content-Security-Policy section.

How can we tell if a resource is blocked is because of CSP?

  1. Open the browser developer tools on the page that seems to be blocked
  2. Go to the Console tab and look for a "Refused to load" type of error as it will mention the Content Security Policy directive.

Can CSP be disabled to avoid issues?

Yes. You can either decide to disable it completely or still get reports of the CSP error in the console. We suggest to leave it as report mode as it will not block any of the resources but still provide logs of the error.

  1. Go to System Administration > Configuration > System Configuration
  2. Edit the WEB_SECURITY property file
  3. Find the CSPheader.mode setting
  4. Either change this to disabled or report

How do we unblock content that is blocked by the Security Policy?

  1. Learning Administration
  2. System Administration
  3. Configuration
  4. System Configuration
  5. Edit WEB_SECURITY

If content from an external domain is blocked:

  1. Go to WEB_SECURITY and in property CSPheader.excludeURI add the URL in question to be excluded from adding this header
    1. Take for example the above image that shows the error. The URL that is blocked is "showAdminWelcomeForAdminUI.do"
    2. Add a new CSPheader.excludeURI[number based off how many you have]=showAdminWelcomeForAdminUI.do
    3. Apply Changes
  2. Lets say on a web page contents inside frame is blocked and blocked url is 1234.abc.com then go to Web_Security add domain following in CSPheader.headerValues[frame-src] property. Same is the case of other elements such as image, css etc.
    1. Go to WEB_SECURITY and modify CSPheader.headerValues[frame-src]= *.abc.com

Note: SAP Support does not assist with resources hosted on external domains. If content is blocked, please check the browser console logs for the error and complete the above steps or change the CSP setting to report mode.

Keywords

Security Policy, Blocked Content, Content Security Policy, Content Blocked, Blocked , KBA , LOD-SF-LMS-CNT , Content , LOD-SF-LMS-PCM , iContent , Problem

Product

SAP SuccessFactors Learning all versions