Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Errors when using Content-Security-Policy with APEX 24.2.3

ahackmannMay 7 2025 — edited May 8 2025

I try to activate the new Content-Security-Policy Feature in APEX 24.2
I followed the steps from the documentation:
https://docs.oracle.com/en/database/oracle/apex/24.2/aeadm/configuring-content-security-policy-csp.html

I set the HTTP Response Header for my UniversalTheme based application to:
Content-Security-Policy: default-src 'self' #APEX_CSP_NONCE# 'unsafe-hashes' #APEX_CSP_HASHES#; object-src 'none'; img-src 'self' data:;

When the policy is set, on every application page i get the following 3 errors in the Browser Console (Edge):

jetCommonBundle.min.js?v=24.2.3:527
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' 'nonce-vXyOp_m_HX57sFDw_X-ZuQ' 'unsafe-hashes' 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

jetCommonBundle.min.js?v=24.2.3:527
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' 'nonce-vXyOp_m_HX57sFDw_X-ZuQ' 'unsafe-hashes' 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='". Either the 'unsafe-inline' keyword, a hash ('sha256-VxjHmcXP0U9Zgkr9GhUG4Vgds8G3sZ6YZkLx6BDRXHk='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

desktop_all.min.js?v=24.2.3:5
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' 'nonce-vXyOp_m_HX57sFDw_X-ZuQ' 'unsafe-hashes' 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='". Either the 'unsafe-inline' keyword, a hash ('sha256-ZYARimjC6Mff4mi4EW+PtogY6oftTMyFFQjdaat1vkw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

As i understand, inside the scripts there is code that modifies the style.

When i add:
style-src 'unsafe-inline' 'self';
to the policy, the errors are gone. But i would like to avoid the 'unsafe-inline' for styles.

Why do the suggested settings from the apex documentation do not work for me?

Greetings
Arne
Comments
Post Details
Added on May 7 2025
#apex, #apex-discussions, #apex24-2, #oracle-apex
4 comments
137 views