Hi,
The WebHelp generated by our H+M project is deployed to a subfolder of an ASP.NET application. The application uses a Content-Security-Policy response header (https://content-security-policy.com/) and this caused the WebHelp content to not display unless we "loosened" up the CSP for the Help folder.
We have worked around this issue for the time being, but I wondered if you have any information about how best to use the CSP header together with Webhelp.
Using WebHelp when there is a Content Security Policy
Moderators: Alexander Halser, Tim Green
-
- Posts: 8
- Joined: Thu Nov 05, 2020 1:46 am
- Tim Green
- Site Admin
- Posts: 23189
- Joined: Mon Jun 24, 2002 9:11 am
- Location: Bruehl, Germany
- Contact:
Re: Using WebHelp when there is a Content Security Policy
Hi Phil,
This an issue that is almost never mentioned (perhaps a couple of times in the last 20 years). Theoretically, it should be possible to comply by setting all content security sources to 'self'. The problem is that WebHelp uses both external CSS and script files and a lot of inline script and CSS to reduce the number of necessary http requests for better performance.
If the content security spec allowed setting both inline code to allowed and external files to self only, then there would not be a problem. But it is an either/or option. Even using hashes or nonces to allow the specific inline code wouldn't work, because then none of the external files would load. The only way around this would be a complete rewrite, eliminating all inline JS and CSS, and also all things like JS references in links, and that just isn't going to happen any time soon.
This an issue that is almost never mentioned (perhaps a couple of times in the last 20 years). Theoretically, it should be possible to comply by setting all content security sources to 'self'. The problem is that WebHelp uses both external CSS and script files and a lot of inline script and CSS to reduce the number of necessary http requests for better performance.
If the content security spec allowed setting both inline code to allowed and external files to self only, then there would not be a problem. But it is an either/or option. Even using hashes or nonces to allow the specific inline code wouldn't work, because then none of the external files would load. The only way around this would be a complete rewrite, eliminating all inline JS and CSS, and also all things like JS references in links, and that just isn't going to happen any time soon.
Regards,
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Tim (EC Software Documentation & User Support)
Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
-
- Posts: 8
- Joined: Thu Nov 05, 2020 1:46 am