[Html2PdfConverter] Content Security Policy (CSP) blocking images and CSS

[Html2PdfConverter] Content Security Policy (CSP) blocking images and CSS

Forge Component
Published on 26 Sep (4 weeks ago) by Guilherme Pereira
51 votes
Published on 26 Sep (4 weeks ago) by Guilherme Pereira

After activating the CSP on lifetime for the Production environment the PDFs are being generated without any formating or images. After a few tests we figured out that img-src and style-src rules need to have a '*' besides the 'self' to allow the corrcet generation of the PDF.

Since the 'self' is already there the '*' shouldn't be necessary since the URLs requested for the images and CSS are from the same server (self).

Any ideas on what might be happening here?


Pedro Delgado

Hi Pedro,

I asked for help on this one.

Let's hope someone can answer your question!




Self is VERY restrictive. It says that the only trustworthy source is the domain itself. If the images are in a subdomain, they will not be loaded (don't know if it restricts paths, also)
The * says "load from everywhere"

So, my FIRST guess would be that the images and so on, that he is trying to load, are not exactly in the "same" place as the application. Also, if the site is http and he is trying to access is using https, it would block the images if using Self.

And, finally, what I was looking for.
Here: https://stackoverflow.com/questions/16627310/wkhtmltopdf-not-loading-local-css-and-images#16650685

It seems that if you add a "base" tag to the header, could solve the problem (it seems that is a problem of the executable not sending the information correctly to the server)

Seems really to be a problem of communication between the wkhtmltopdf executable and the server...

Eduardo Jauch