[SINCE Orbeon Forms 2018.1]
Content-Security-PolicyHTTP header, also known as CSP header, is a relatively recent HTTP header which "helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks".
Some organizations set the
Up until Orbeon Forms 2017.2, Orbeon Forms included some inline scripts and CSS in the HTML served to the browser. Disabling inline scripts and CSS with
Content-Security-Policywith those Orbeon Forms versions will prevent Orbeon Forms from working correctly.
With Orbeon Forms 2018.1 and newer, Orbeon Forms no longer produces inline scripts and CSS by default, which allows for these strict values of the
Content-Security-Policyheader. While Orbeon Forms already takes measures against XSS and data injection, disabling the use of inline scripts can make Orbeon Forms even safer by default.
The following XForms property allows you to re-enable inline scripts and CSS. The default is
We recommend leaving the value to the default of
In many cases, the
Content-Security-Policyheader is generated more globally by a reverse proxy or server.
But Orbeon Forms is able to produce that header as well, whether just for testing or for deployment. To enable this, simply uncomment the following entry in the Orbeon Forms WAR file's
<param-value>default-src 'self'; img-src 'self' data:</param-value>
You can set the
param-valueto any legal value supported by web browsers. In this example,
default-src 'self'"Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes." (Mozilla)
content-security-policyname must remain in lowercase. It is a configuration parameter name, not the actual header name.