- Issue created by @Freddy Rodriguez
- Status changed to Closed: works as designed
about 1 year ago 9:00pm 8 December 2023 - ๐ณ๐ฑNetherlands jurriaanroelofs
Thank you for your ticket. I'm not sure if this is a bug, or just the content security policy doing exactly what it is designed for.
The purpose of using style-src 'self' is to restrict the website from loading stylesheets from any external sources. DXPR Builder needs to load both stylesheets and javascript assets from our cloud infrastructure. This is not something we can fix from our side but something that requires a tailored strategy from the CSP implementation side. Some options you have:
1. Replace style-src 'self' with style-src https://example.com https://cdn.dxpr.com; where example.com is your domain name.
2. Configure your website to apply the stricter rule style-src 'self' only to user roles that do not use DXPR Builder
3. Keep using style-src 'self' but creating a proxy on your own domain to funnel assets from whitelisted domainsPlease consult compliance officers and security specialized software engineers in your organization to find the best solution that meets requirements in your situation.