General plugins (Local): Content security policy

Maintained by Picture of Catalyst ITCatalyst IT, Picture of Brendan HeywoodBrendan Heywood
This plugin allows an admin to create a Custom Security Policy (CSP) in both reporting mode and enforcing mode. A simple use case is to detect and cleanup issues with non secure content after a migration from http to https, through to advanced policies to mitigate from XSS attacks.
206 sites
8 fans

This plugin allows you to configure a Custom Security Policy (CSP) which is sent via HTTP headers. CSP headers instruct browsers to make certain actions. For example, if a website is available by HTTPS, then a CSP policy of 'default https:;' will tell the browser to prohibit loading of any sources (scripts, css etc.) via HTTP.

Learn more about CSP here:

There are many other CSP rules that browsers can understand and by using them administrators can flexibly tune their website if they wanted to get rid of mixed content or classes of cross-site scripting vulnerabilities. 

Any policy you wish to use can be safely tested first using 'Report only' mode, and this plugin has a built in CSP aggregator and reports all errors which are raised. You can have two different policies, one for testing and one for enforcing and gradually move each directive from 'report' to 'enforcing' after the various issues have been found and fixed.


Screenshot #0
Screenshot #1


Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Brendan Heywood
Brendan Heywood: Architect
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Plugins bot
    Tue, Feb 21, 2017, 3:00 PM
    Approval issue created: CONTRIB-6759
  • Picture of Susan Mangan
    Thu, Jul 13, 2017, 3:24 AM
    Hi, just installed this on our test system and seems great so far. Running Moodle version 3.2. I have 2 questions:

    1. The reported a far greater number of potentially problematic domains than the CSP violation report did. I guess I'd have to dig around in the code to find out what each is doing exactly to determine why but if anyone has an idea about this that would be very helpful!

    2. I generated a few pages of CSP violation reports, made some changes and reset all statistics. I think perhaps that was not the correct thing to do. Our system technically should be producing the same report it did initially but since I reset statistics I can't seem to find a way to make this happen. I've cleared caches and disabled and re-enabled the plug-in. I can't find anything in the documentation about this. Am I missing something? TIA!
  • Picture of Susan Mangan
    Thu, Jul 13, 2017, 6:02 AM
    One more question.
    Does this plug-in work with IE-11?
    I can block content in Chrome and FFox so far but same content not blocked in IE-11.
  • Picture of Susan Mangan
    Thu, Jul 13, 2017, 6:09 AM
    Never mind... just viewed the browser compatibility at sad
  • Picture of Susan Mangan
    Thu, Jul 13, 2017, 7:39 AM
    Oh ... I think I got it ... I need to apply specific policy for IE... I just used the default policies that were included in the plug-in. And I figured out my report issue - when I removed the custom css for the theme the report showed nothing, put it back, we get the violations again.
  • Picture of Will Lehman
    Mon, Aug 28, 2017, 10:23 AM
    Any plans to release this for Moodle 3.3?
  • Picture of Brendan Heywood
    Tue, Aug 29, 2017, 7:21 AM
    hi Will,

    Have you actually tested it in 3.3? I'd be surprised if it didn't work as-is in 3.3 but I haven't tested it myself. If there is any issues under 3.3 can you please raise them here

  • Picture of Tony G
    Wed, Apr 15, 2020, 5:08 PM

    May I have the list of what CSP is supported in this plugin? Thank you.
Please login to post comments