Skip to main content

Content Security Policy (CSP) and Custom Scripts

Content Security Policy (CSP) is an important web security standard that controls which external content (such as scripts, stylesheets, or images) your application may load or execute. A well-defined CSP significantly reduces the risk of attacks like Cross-Site Scripting (XSS).

Impact on Custom Scripts in TheFlex Industry Browser

TheFlex Industry Browser supports custom scripts to extend functionalities or integrate custom solutions. However, when a CSP is active, no custom script can be injected unless this policy explicitly allows it.

Please note:

  • Adding an entry like https://localhost/cordova.js to your CSP is sufficient to use Cordova plugins within TheFlex Browser.
  • It is not necessary nor recommended to allow all sources or scripts within the CSP.
  • A precise CSP configuration ensures maximum security for your application.

Note:
For more information on CSP configuration, refer to the SAP Help documentation
and the SAP Community article about CSP in S/4HANA Cloud.

FAQ: Frequently Asked Questions about CSP and Custom Scripts

Question:
Why is my custom script not executed in TheFlex Browser?

Answer:
Most likely, an active Content Security Policy (CSP) is blocking scripts that are not explicitly allowed. Please check whether https://localhost/cordova.js is included in your CSP, and adjust the policy if necessary.

Question:
Is it safe to allow all scripts for custom code?

Answer:
No, for security reasons you should only allow sources that are strictly necessary—such as https://localhost/cordova.js. More permissive rules create security risks such as XSS.

More information and examples for technical implementation can be found in the Custom Script article, which covers usage and security aspects in detail.