Content-Security-Policy
HTTP header, also known as CSP header, is a relatively recent HTTP header which "helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks".Content-Security-Policy
header to strict values which disallow inline JavaScript and CSS within HTML pages, for example with default-src 'self'
.Content-Security-Policy
with those Orbeon Forms versions will prevent Orbeon Forms from working correctly.Content-Security-Policy
header. While Orbeon Forms already takes measures against XSS and data injection, disabling the use of inline scripts can make Orbeon Forms even safer by default.false
:false
.Content-Security-Policy
header is generated more globally by a reverse proxy or server.web.xml
:param-value
to any legal value supported by web browsers. In this example, default-src 'self'
"Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes." (Mozilla)content-security-policy
name must remain in lowercase. It is a configuration parameter name, not the actual header name.