Widget CSP Overview

Last modified: November 19, 2024

Introduction

Currently, certain Mendix pluggable widgets are not fully compliant with strict content security policy (CSP). Some of these widgets require access to third party domains. By allowing access to these domains, these widgets can still follow allowlist CSP.

Setup

For information on setting up your application’s CSP, see the Content Security Policy guide.

Widgets

The following widgets are not fully compliant with strict CSP. See the widgets’ documents below for additional information and setup instructions to enable CSP:

Charts

You can enable allowlist CSP for Charts by including these directives:

style-src 'self' 'unsafe-inline';

Color Picker

You can enable allowlist CSP for Color Picker by including these directives:

style-src 'self' 'unsafe-inline';

HTML/JavaScript Snippet

For information on HTML/JavaScript Snippet widget CSP configurations, see HTML/JavaScript Snippet CSP.

Maps

For information on Maps widget CSP configurations, see Maps CSP.

Rich Text

Use versions 3.0 and higher of Rich Text for strict CSP compliance.

You can enable allowlist CSP for Rich Text by including these directives:

style-src 'self' 'unsafe-inline';

For Rich text version 2.x and below, you will need to add the following directives:

script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';

Progress Circle

Use versions 3.3.0 and higher of Progress Circle for strict CSP compliance.

Web Actions

Use versions 2.10.0 and higher Web Actions for strict CSP compliance.

Read More

  • Read Security Guide to understand more about security roles and access in Mendix
  • See App Permissions to understand how make your app ask users for permission before storing their media