EducationSoftwareStrategy.com
StrategyCommunity

Knowledge Base

Product

Community

Knowledge Base

TopicsBrowse ArticlesDeveloper Zone

Product

Download SoftwareProduct DocumentationSecurity Hub

Education

Tutorial VideosSolution GalleryEducation courses

Community

GuidelinesGrandmastersEvents
x_social-icon_white.svglinkedin_social-icon_white.svg
Strategy logoCommunity

© Strategy Inc. All Rights Reserved.

LegalTerms of UsePrivacy Policy
  1. Home
  3. Topics

  5. KB486920: Strategy's CSP (Content Security Policy) Plan

Strategy's CSP (Content Security Policy) Plan

Scott Rowley

Director, Application Security Engineering • MicroStrategy

Strategy is continuing to invest in stronger Content Security Policy for both Strategy Web and Strategy Library. This article provides information relating to our plan, timelines and what you can do to identify potential impact and test ahead of your future upgrades.

A Content Security Policy, commonly known as CSP, acts as a set of directives that helps protect our web application—think of it as a security guard for our online presence. It's a part of our defense-in-depth strategy against various cyber threats, such as XSS, clickjacking and injection attacks. By implementing a stronger CSP, we're investing in additional security measures to protect our web applications.
 

Two of our target CSP directives to remove are unsafe-eval and unsafe-inline. The usage of these is common in both web applications and customizations/plugins across the software industry. As the industry works to default to stronger CSP, some changes may be required. For instance, if your custom scripts were previously added directly into web pages (inline) or if they included dynamic code execution (eval), these practices will no longer be permitted under the new policy. This means that you may need to modify how your custom content or customizations are applied.

 

Strategy Product CSP Plan:

To minimize impact to customizations and integrations, making the stronger CSP policies optional. This will enable customers who are ready to adopt them and for those who aren’t ready to opt-out while they test out and identify any potential impact.
Areas of Strategy's Platform which may be impacted:
A few areas of Strategy can be configured or accept custom content and could be impacted.  These include:

  • HTML Containers - For included HTML content, any unsafe-inline or unsafe-eval will be blocked.
  • Custom HTML and JavaScript - Strategy supports a number of locations which can be configured to accept custom HTML or JavaScript.  These include Prompts, HTML Attribute Forms, Links, Custom JSP pages and Project Status.  Details on how to determine if these are enabled for your MicroStrategy system can be found here: Disallow Custom HTML and JavaScript in Dashboards, Documents, Reports, and Bots (strategy.com)

Strategy Library CSP:

Strategy Library has removed unsafe-eval from its CSP directives by default.  Environments with failing executions of the eval JavaScript function may opt-out following the steps in the FAQ below.

CSP Directive

Impact

Default enforced as of:

unsafe-eval

JavaScript based plugins, visualizations or customizations which use eval will break.

End of 2024


Strategy Web Opt-In CSP:

Strategy is planning to remove unsafe-inline and unsafe-eval from Strategy Web’s CSP Policy in a phased approach:

CSP Directive

Impact

Default enforced as of:

unsafe-eval

JavaScript based plugins, visualizations or customizations which use eval will likely break.

June 2025

unsafe-inline

JavaScript based plugins, visualizations or customizations which use inline will likely break.

Not yet announced.

 

FAQ:

  1. How do I customize the CSP policy in Web or Library, such as to re-allow unsafe-eval?

    1. Add the following three lines in the config override configuration file:

      1. The file path is: tomcat/webapps/<WebApplication>/WEB-INF/classes/config. The file name is: configOverride.properties

      2. Add the following two lines with your customized CSP directives in the second line:
      3. features.contentSecurityPolicy=true
      4. security.csp.policyDirectives=object-src 'none'; script-src 'nonce-NONCE_TOKEN' 'strict-dynamic' https:; base-uri 'self';
    2. As of July 2024, ESRI Maps requires unsafe-eval to function. Customers who use ESRI maps can enable this by adding wasm-unsafe-eval to the script-src directive, such as:
      1. script-src 'nonce-NONCE_TOKEN' 'strict-dynamic' https: 'wasm-unsafe-eval';
  2. How do I identify whether my customizations / plugins / integrations will be impacted by the CSP hardening?

    1. Customizations that do not use removed directives are not affected. Be sure to check for usage of removed directives in customized HTML, HTML containers or any third-party libraries that are used. A functional end-to-end test is recommended to certify that a customization will execute properly in the browser when restricted calls are not allowed.

  3. My customization breaks due to the CSP hardening, what can I do?

    1. Historically, eval is used in web applications to parse JSON data, create functions on the fly, or to load dynamic code. Replace eval depending on the situation. For example, use JSON.parse()to parse JSON data. Use JavaScript source code downloaded from your web application instead of loading dynamic code on the client.

    2. Strategy professional services can be contracted to help secure your custom capabilities. Please contact your account team or Strategy Technical Support to learn more about how we can help.

Updates:

  • Edit November 2024 to update our Strategy Library Unsafe-Eval default-enforced plans are now targeted for mid 2025.
  • Edit April 2025 to update with our current plans
Comment

0 comments

Details

Knowledge Article

Published:

July 23, 2024

Last Updated:

April 23, 2025