Content Security Policy

CS: 4.1.0 CS 4.1.0

Content Studio enforces Content Security Policy (CSP) to prevent cross-site scripting, clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

This is done to secure Content Studio itself but also affects custom widgets whose content will be injected into Content Studio. Make sure your widget doesn’t have inline scripts/styles or scripts loaded from external domains, because those will be blocked by CSP.

Content preview in Content Studio is protected by XP’s own Content Security Policy and can be configured in XP Admin config file
It’s possible to customise CSP header in Content Studio or turn it off completely using Content Studio’s config file. CSP header in the Page Editor is currently not customisable.