We are getting Content Security Policy(CSP) errors when generating a PDF with UltimatePDF.
Error log:
Message:
Content Security Policy blocked 'https://dev-environment.outsystemsenterprise.com/Module/Screen'.
Stack:
Blocked-uri: https://dev-environment.outsystemsenterprise.com/Module/ScreenDocument-uri: https://localhost.outsystemsenterprise.com/Module/Screen?Parameter=120Violated-directive: base-uriEffective-directive: base-uri
Original-policy: -- CSP Config details in the log –
Referrer:Status-code: 200
The PDF is generated by using the PrintToPDF server action.
The URL passed to the action is “https://dev-environment.outsystemsenterprise.com/Module/Screen?Parameter=120”, there is no localhost value being passed to the action. We are not sure why the error says localhost in the Document-uri.
We have tried to add localhost to the base-uri CSP configuration, but the errors keep occurring.
Even though theses errors are appearing in the Service Center, the PDF is generated correctly and there are no errors for the end-user.
Hi Lucas,
In the past, I have faced similar issues, and although the error was not clear, the problem was with the URL of an external source used on the screen that was trying to generate as a PDF. Are you using any external sources?
ty.
Hi Gonçalo,
There are no external sources in our screen.
Try to call your screen using:
http://localhost/Module/Screen?Parameter=120.
These types of solutions typically use an embedded browser, such as Chromium, to internally call the provided URL. This browser is installed on the same application server, allowing it to resolve localhost addresses internally.
If not works, is possible to provide the error log exported from the service center?
ty
Hey @Lucas Braga de Oliveira ,Not sure if this is the issue, but just to double check.
If you have custom values in your CSP configurations, can you also check if you have 'self' in the Base-URI? Like this:
You can find more info about CSP rules here as well.Let me know if it helps,Best Regards,
RR :)
Hi Lucas.
The "localhost" in the URL is an internal URL that Ultimate PDF uses to render the screen on the server-side.
The "base-uri" issue is only relevant if you have hyperlinks on the PDF. These hyperlinks will need to point to "dev-environment" instead of "localhost", so for that reason Ultimate PDF changes the base-uri of the document to the original URL (in this case "dev-environment"). This will trigger a CSP error if "dev-environment" is not explicitly whitelisted on the base-uri settings. Note that "self" is not enough in this case, because "self" evaluates to "localhost" in this scenario.
We might review this behavior in the future, since there are better ways to fix the hyperlinks without having to change the base-uri.
Actually, you may be using an older version of Ultimate PDF, because this error has been fixed on version 11. Starting with that version, you should no longer receive logs for CSP violations.