Hello everyone,
We noticed that the value gap: is being automatically added to the child-src and default-src directives in our Content Security Policy (CSP) configuration.
Since our application is a web-based app (not a mobile app), the inclusion of gap: is unnecessary and, as per CSP best practices, it may cause fallback or enforcement issues in certain browsers.
Could you please advise:
Why gap: is being automatically included in these directives by OutSystems?
How we can prevent or remove this value from being added automatically within the CSP configuration?
Thanks and Regards,
Vijay D
Hello @Vijay Dhasnamoorthy,
Yes, when you click the Save button, gap: is automatically added to the child-src and default-src directives by default, primarily for hybrid mobile apps. This behavior applies at the environment level, and my theory is that it occurs because an environment can host both mobile and web applications, so OutSystems includes gap: by default to ensure mobile app support. However, this mechanism is not present in ODC, where you can freely define and manipulate CSP values without gap: being automatically.
Based on the documentation for ODC: Content Security Policy, this flexibility is supported. For O11, however, the CSP cannot be overridden as described in the documentation section Apply Content Security Policy
Hi Sherif,
Thank you for your response.
I have overridden the CSP values at the application level to remove the gap: value and saved the configuration. However, the gap: value is still automatically appended after clicking Save.
Could you please advise if there are any other possible solutions?
Thanks.
Unfortunately, I haven’t found any method to override these values in O11. According to the documentation, they are added by default and cannot be modified.