Skip to Main Content

SQL Developer Web


For appeals, questions and feedback, please email

sql-developer behind ohs. Cannot load if we set content-security-policy headers

juliojgsMay 4 2023

Client requests us to add some headers to our application. To do it, we put ohs in front of it, and set the headers in httpd.conf.

Other products, like oracle forms, seems not to be affected by this, but database actions and sql-developer web stops loading correctly if we set content-security-policy script-src ‘self’

We created a ohs virtual host to receive the connections and mod_wl_ohs takes them to the weblogic server where is deployed ords.war and i.war . We added a proxy reverse directive.

We tried to add the external server address in the content-security-policy , but it is still blocked.

Browser Console error messages:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ". Either the 'unsafe-inline' keyword, a hash ('sha256-T9mbUudb10PxSmg43De/ndm6vz9f1tYdLcb1z+tSGds='), or a nonce ('nonce-...') is required to enable inline execution.

unsafe-inline … I'm pretty sure the client won't allow this.

I supose this scripts are not interpreted as coming from “self” , as ords is actually in another port in the same weblogic.

Is there some way to allow scripts from there?

Post Details
Added on May 4 2023