Content Security Policy | HCL Digital Experience
The Content-Security-Policy header is used by modern browsers to enhance security of HCL Digital Experience site documents or web pages by allowing HCL Digital Experience administrators or developers declare which dynamic resources are allowed to load.
Overview
- A Content-Security-Policy HTTP request header which defines an allowlist
- Allowlists which tell the browser what is and is not allowed
- Reporting of policy violations to the server
The security model of the web is rooted in the same-origin security policy which ensures that domain origins are kept isolated.
For more information, see the introductory Google Web Fundamentals article on Content Security Policy (CSP).
With HCL Digital Experience Container Update CF_192 and later releases, developers can apply platform support and guidance to update their DX sites to verify scripts requested to execute are coming from trusted sources before rendering pages to end users. See the guidance topics for Content Security Policy as listed in the following sections.
Video: Content Security Policy with HCL Digital Experience 9.5
Limitations
- Dojo is unsupported. This is due to difficulties to make Dojo CSP-compliant
by eliminating inline Javascript and styles. As a result, any DX artifact
(modules, portlets, themes) that requires Dojo are also not supported,
including:
- The Default85 theme. The standard skin uses Dojo for some of the menu processing.
- Some context menus in the toolbar and skins
- Any modules using Dojo
- Edit mode
- Semantic tagging
- We recommend the use of explicit styles in the rich text editor instead of the default inline styles.
- Documentation resource: Rich Text Editor Toolbar configuration options
- Documentation resource: Using your own document styles in customizing the Rich Text Editor