Content Security Policy | HCL Digital Experience

The Content-Security-Policy header is used by modern browsers to enhance security of HCL Digital Experience site documents or web pages by allowing HCL Digital Experience administrators or developers declare which dynamic resources are allowed to load.


Content Security Policy (CSP) is a well-known defense against cross-site scripting (XSS) attacks (delivery of malicious code along with intended content). CSP provides browsers with the following capabilities:
  • A Content-Security-Policy HTTP request header which defines an allowlist
  • Allowlists which tell the browser what is and is not allowed
  • Reporting of policy violations to the server

The security model of the web is rooted in the same-origin security policy which ensures that domain origins are kept isolated.

For more information, see the introductory Google Web Fundamentals article on Content Security Policy (CSP).

With HCL Digital Experience Container Update CF_192 and later releases, developers can apply platform support and guidance to update their DX sites to verify scripts requested to execute are coming from trusted sources before rendering pages to end users. See the guidance topics for Content Security Policy as listed in the following sections.

Video: Content Security Policy with HCL Digital Experience 9.5


CSP has the following limitations:
  • Dojo is unsupported. This is due to difficulties to make Dojo CSP-compliant by eliminating inline Javascript and styles. As a result, any DX artifact (modules, portlets, themes) that requires Dojo are also not supported, including:
    • The Default85 theme. The standard skin uses Dojo for some of the menu processing.
    • Some context menus in the toolbar and skins
    • Any modules using Dojo
    • Edit mode
    • Semantic tagging
  • We recommend the use of explicit styles in the rich text editor instead of the default inline styles.
For more information on how to configure custom styles for Advanced Text Editor, see the following resources: