Content Security Policy

This feature is available since Bloomreach Experience Manager 15.0.0.

By default, Bloomreach Experience Manager 15.0.0 and later have a Content Security Policy enabled. It is not very strict at the moment, as we depend on some legacy Javascript libraries that require “unsafe” features, but in future releases we will work on resolving those issues and locking down the CSP.

The most impactful CSP rules relate to which domains are allowed to be used in elements such as <iframe><script> and <style>. This will affect Open UI extensions in particular. Developers will have to manually add such domains to the CSP configuration, which is located in the repository at:

/hippo:configuration/hippo:modules/application-settings/hippo:moduleconfig/content-security-policy.

We currently support the following CSP directives to be configured:

  • connect-src
  • frame-ancestors
  • frame-src
  • img-src
  • script-src
  • style-src
  • font-src
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?

    We rely on cookies

    to optimize our communication and to enhance your customer experience. By clicking on the Accept and Close button, you agree to the collection of cookies. You can also adjust your preferences by clicking on Manage Preferences. For more information please see our Privacy policy.

    Manage cookies
    Accept & close

    Cookies preferences

    Accept & close
    Back