Hello everyone,
We recently enabled Content Security Policy (CSP) in our OutSystems application.
1. style-src and script-src errors
After applying configuration, we are seeing CSP violations related to style-src and script-src in the browser console, specifically from the OutSystemsUI.controller.js file.
When we add 'unsafe-inline' to the style-src or script-src directives, the errors disappear — but we want to avoid 'unsafe-inline' for better security compliance.
2. PDF not fully loaded when opened in a new tab
When we try to open a PDF document in a new tab, it appears partially loaded or with a reduced height.Script used:
Script - window.open(blobUrl, '_blank', 'locationbar=no,scrollbars=no,menubar=no,resizable,screenX=50,screenY=50,width=850,height=800');
This script was working fine before enabling CSP. However, after enabling CSP, the PDF does not render correctly.
Any guidance or best practices to resolve this securely would be greatly appreciated.
Thanks and regards,
Vijay D
Hi Vijay,
I’ve not hit this exact issue myself, but I’ve seen something similar when enabling CSP with OutSystems UI. From what I understand, the errors are happening because OutSystemsUI still injects some inline scripts/styles, so CSP blocks them when unsafe-inline is removed.
What you can try:
1) Add the SHA hashes shown in the browser console This lets only those inline styles/scripts run, without opening everything. You’ll need to copy the SHA values and include them in your CSP config. This seems to work better than using unsafe-inline.
2) Or use a nonce But managing nonces with OS UI can get a bit tricky.
For the PDF issue — it seems the window.open settings are also being blocked by CSP. Maybe try a simpler call:
window.open(blobUrl, "_blank");
or create a link element and trigger click, so it doesn’t need inline execution.
Honestly, adding the hashes looks like the most realistic approach with current OutSystems UI until they improve CSP support. Might need to update hashes after UI upgrades.
Hope this helps — do try and let us know if it works on your side!Thanks and Regards,Akshay Deshpande
Hi,
1. I have added SHA value in style-src. Still the same console error occur. Kindly check below screenshot.
2. Using window.open(blobUrl, "_blank"); also show a same issue.
Hi Vijay, Thanks for sharing the screenshots — that helps. From what you’ve posted, it still looks like the CSP rules aren’t fully allowing the inline styles/scripts. A couple of things you can try:1. Update CSP rules Make sure these are added properly (and not being overridden by another header):style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline';
If you don’t want to use unsafe-inline, you’ll need to move inline JS/CSS into separate file 2. PDF issue For PDFs not opening correctly, try adding:
frame-src 'self' blob:;Some browsers need this to show PDF content.3. Double-check final headers Sometimes proxies/extensions inject their own CSP. Open DevTools → Network → Response Headers → confirm CSP matches what you configured. If you can share how you’re loading the PDF (iframe, link, UI widget), I can suggest a more specific fix.Let’s see if this helps!
Hi @Vijay Dhasnamoorthy ,
I’m sharing an article and a discussion thread that address these issues: