If they are sourcing files from their web site, you potentially have an issue.
On-prem should usually mean all on prem.
Regards,
Richard Schoen
Web:
http://www.richardschoen.net
Email: richard@xxxxxxxxxxxxxxxxx
----------------------------------------------------------------------
message: 1
date: Fri, 1 Apr 2022 12:12:14 +0000
from: Rob Berendt <rob@xxxxxxxxx>
subject: Is your vendor supplied "on prem" web product dependent upon
connection to their server?
I am using an on premises solution.
I am reading their user manual because I want to implement HSTS to pass an audit.
Immediately following that section in their manual is a section about implementing HTTP Content Security Policy (CSP). In that section I see:
<snip with redaction>
Default - The Default setting provides the URLs that are required for <our product> to load resources from
http://www.<ourwebsite>.com. Inline scripts, such as JavaScript, are allowed to be executed.
</snip with redaction>
There is a custom option which allows you to tailor this but it has this note:
NOTE: Removing or modifying the default options may affect <our product> functionality and is not recommended.
Does this mean if their website is down then the use of their product on your on premises solution may be affected?
Rob Berendt
midrange.com
