Using WebHelp when there is a Content Security Policy

[Phil Haselden]

Hi,

The WebHelp generated by our H+M project is deployed to a subfolder of an ASP.NET application. The application uses a Content-Security-Policy response header (https://content-security-policy.com/) and this caused the WebHelp content to not display unless we "loosened" up the CSP for the Help folder.

We have worked around this issue for the time being, but I wondered if you have any information about how best to use the CSP header together with Webhelp.

[Tim Green]

Hi Phil,

This an issue that is almost never mentioned (perhaps a couple of times in the last 20 years). Theoretically, it should be possible to comply by setting all content security sources to 'self'. The problem is that WebHelp uses both external CSS and script files and a lot of inline script and CSS to reduce the number of necessary http requests for better performance.

If the content security spec allowed setting both inline code to allowed and external files to self only, then there would not be a problem. But it is an either/or option. Even using hashes or nonces to allow the specific inline code wouldn't work, because then none of the external files would load. The only way around this would be a complete rewrite, eliminating all inline JS and CSS, and also all things like JS references in links, and that just isn't going to happen any time soon.

[Phil Haselden]

Thanks Tim!