As per Apply Content Security Policy, I've recently removed the unsafe-inline from being added to response headers. However, when generating PDF's via the Ultimate PDF module I notice in the browsers Developer Console that the directive is blocking some content, which I assume is inline CSS. Upon reviewing the generated PDF it's clear that the layout has become jumbled due to this issue.
Apart from adding the unsafe-inline directive at the application level to allow Ultimate PDF to use inline styles is there another, more secure way? Is there any plan to update Ultimate PDF to do away with the inline styles?
Hello @Ben Wolrige,
Ultimate PDF currently relies on inline styles for rendering accurate layouts in generated PDFs. When unsafe-inline is removed from the CSP, these styles are blocked, causing layout issues. The only workaround for now is to allow unsafe-inline for the specific PDF generation endpoint or create a CSP exception just for that resource. There’s no official update yet to eliminate inline styles, but a future version may adopt a safer styling approach.
Ultimate PDF still uses inline styles, so removing unsafe-inline breaks its layout.
You can either re-enable it just for PDF generation or switch to a module supporting external CSS.