Some test text!

Discord Logo

Chat with us

PDFTron is now Apryse, learn more here.

Web / FAQ / Use a Content Security Policy


PDFTron is now Apryse, learn more here.

Using a Content Security Policy (CSP) with WebViewer

MDN says a Content Security Policy (CSP) is:
"an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks."

Recommended policy

WebViewer requires certain CSP directives to be used. If you do not need to support embedded JavaScript then the current recommended policy is:

script-src 'self'; font-src 'self' data: blob:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'

If you use this policy and want to make sure the embedded JavaScript warnings/errors don't show up because of the CSP then you can disable embedded JavaScript in WebViewer .

Allowing embedded JavaScript

If you need to enable to embedded JavaScript then you'll currently need to enable unsafe-inline and unsafe-eval for script-src.

script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; font-src 'self' data:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'

Get the answers you need: Support