Skip to main content

Content Security Policy (CSP) and Custom Scripts

Content Security Policy (CSP) is a web security standard that controls which scripts, stylesheets, and other resources a page is allowed to load or execute. A strict CSP is the most effective defense against Cross-Site Scripting (XSS) attacks.

How CSP affects TheFlex custom scripts

TheFlex injects custom scripts into the WebView at the page level. If the loaded web application defines a CSP, the browser will block the injected script unless the policy explicitly permits it.

The minimum required entry to allow TheFlex's Cordova bridge is:

script-src https://localhost/cordova.js

This is sufficient to enable all Cordova plugins (NFC, barcode scanning, etc.) within TheFlex.

tip

Add only what is strictly necessary. Do not use script-src 'unsafe-inline' or script-src * — these disable CSP protection entirely and create XSS vulnerabilities.

Where to set the CSP

The CSP is set by the web application (e.g. your SAP system), not by TheFlex. Depending on the platform:

  • SAP S/4HANA Cloud / SAP Fiori: The CSP is configured in the SAP system. See the SAP Help documentation and the SAP Community CSP article.
  • Custom web apps: The CSP is typically set as an HTTP response header or a <meta> tag in the HTML.

FAQ

Why is my custom script not executing in TheFlex?

The most likely cause is an active CSP that does not include https://localhost/cordova.js. Check the browser console (via remote debugging) for a CSP violation message, then add the required entry to your application's policy.

Is it safe to allow all scripts?

No. Only allow the specific sources you need — at minimum https://localhost/cordova.js for TheFlex. Wider rules like 'unsafe-inline' or * eliminate CSP protection and should be avoided.

My script runs fine without CSP but breaks after enabling it — what to check?

Check the browser console for CSP violation reports. Each blocked resource generates a message like:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src ..."

Add only the specific source that is being blocked.

For more on writing and deploying custom scripts, see the Custom Scripts article.