SAP Knowledge Base Article - Public

3476408 - Use of Default-src and Object-src directive in Content Security Policy of RMK Career site - Recruiting Marketing


Customer is using a third party application to evaluate the Content Security Policy of the career site which provides some recommendations regarding the use Default-src and Object-src on the RMK career site. 


SAP SuccessFactors Recruiting Marketing


Content Security Policy (CSP) offers the default-src 'self' directive, enforcing that all content types originate from the same domain. It also provides a customizable allow list for specifying trusted sources. This is a standard configuration of SuccessFactors and not considered as a vulnerability. With regards to missing object-src directive in Content Security Policy, the absence of this directive does not also mean a vulnerability on the career site. With regards to the directives being used by SuccessFactors, you can also refer to Content Security Policy Header. However, the customer can also submit an enhancement request for the object-src directive to be added on the Content Security Policy of the RMK career site. 

See Also

3044364 - Enabling Content Security Policy for RMK Site - Recruiting Marketing


SIR0054925, CSP Evaluator, Directives, Vulnerability, Security, CSP  , KBA , LOD-SF-RMK-SEC , Security & Vulnerabilities , Problem


SAP SuccessFactors Recruiting all versions