https://success.outsystems.com/documentation/11/managing_the_applications_lifecycle/secure_the_applications/apply_content_security_policy/
According to this documentation, for example Default-src has 'unsafe-inline' and 'unsafe-eval' added at runtime. In my case that is not acceptable. I can't have any unsafe directives present in my content security policy.Is there any possibility to bypass this and use exactly the values that I want and that I need to use?
Thank you!
-Daniel
Hi Daniel,
For this kind of question I believe it would be better to contact OutSystems support directly. In OS 10 this was not being added at runtime, so this should have a reason behind.
I'm not aware of any settings you can turn on/off that would change the runtime injection.
If you run a reverse proxy between your users and the OS backend, it could be possible to change this value and remove unwanted settings - it would depend on the reverse proxy capabilities.
IG
Hi Daniel,The runtime adds these directives automatically because the applications generated by OutSystems require them to work correctly. In other words, the suggested reverse proxy solution would indeed remove the unwanted CSP directives, however the applications would no longer work.The OutSystems platform will soon offer the option to generate reactive web and mobile applications that no longer require these directives.
Hi João,Is this something in the pipeline for release this year?
Definitively, yes. If you want to be among the first to try it out, please contact your OutSystems team.