/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
Customer is using a third party application to evaluate the Content Security Policy of the career site which provides some recommendations regarding the use Default-src and Object-src on the RMK career site.
Environment
SAP SuccessFactors Recruiting Marketing
Resolution
Content Security Policy (CSP) offers the default-src 'self' directive, enforcing that all content types originate from the same domain. It also provides a customizable allow list for specifying trusted sources. This is a standard configuration of SuccessFactors and not considered as a vulnerability. With regards to missing object-src directive in Content Security Policy, the absence of this directive does not also mean a vulnerability on the career site. With regards to the directives being used by SuccessFactors, you can also refer to Content Security Policy Header. However, the customer can also submit an enhancement request for the object-src directive to be added on the Content Security Policy of the RMK career site.
See Also
3044364 - Enabling Content Security Policy for RMK Site - Recruiting Marketing
Keywords
SIR0054925, CSP Evaluator, Directives, Vulnerability, Security, CSP , KBA , LOD-SF-RMK-SEC , Security & Vulnerabilities , Problem
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)