What are the Content Security Policy requirements?

daniel.young · July 10, 2023, 10:20pm

Which product are you using?
Evaluating whether PDF.js Express Plus is suitable

PDF.js Express Version

N/A

Detailed description of issue
Before we commit to using PDF.js Express Plus we need to know what the required Content Security Policy rules are. We have strict policy requirements and cannot allow unsafe-inline or unsafe-eval. Are you able to let me know what the required rules are? Thanks!

Expected behaviour
N/A

Does your issue happen with every document, or just one?
N/A

Link to document
N/A

Code snippet
N/A

harald · March 3, 2025, 9:56am

While testing a stricter CSP on our side, we observed that webviewer.core.min.js introduces an inline script. Although it doesn’t appear to affect the PDF web viewer’s functionality, it would be preferable to avoid relying on inline scripts altogether.

Is there a workaround for this issue, and could you look into removing the inline script? We’d prefer not to rely on unsafe-inline in our CSP.

Topic		Replies	Views
Security vulnerabilities in PDF.js Express Technical Support	2	466	August 18, 2021
CVE-2024-4367 vulnerability in pdf.js Technical Support	3	389	July 4, 2024
I get - Refused to load the script 'http://localhost:65534/livereload.js?snipver=1' because it violates the following Content Security Policy directive: Technical Support	5	183	February 16, 2023
XSS execute script in pdf file Technical Support	4	832	August 11, 2023
What version of PDF.js Express we should use Technical Support	2	564	April 7, 2022

What are the Content Security Policy requirements?

Related topics