Content-Security-Policywith those Orbeon Forms versions will prevent Orbeon Forms from working correctly.
Content-Security-Policyheader. While Orbeon Forms already takes measures against XSS and data injection, disabling the use of inline scripts can make Orbeon Forms even safer by default.
Content-Security-Policyheader is generated more globally by a reverse proxy or server.
param-valueto any legal value supported by web browsers. In this example,
default-src 'self'"Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes." (Mozilla)
content-security-policyname must remain in lowercase. It is a configuration parameter name, not the actual header name.