Content Security Policy and Firewall Rules for Document Authoring Assets

This guide may apply to you if you aren’t self-hosting assets. By default, we load most assets from our content delivery network (CDN). Self-hosting is a great choice for those who want either more control or offline-first capabilities.

Content Security Policy (CSP) headers are an essential security feature designed to help protect web applications from various types of attacks, such as cross-site scripting (XSS) and data injection attacks. CSP allows you to specify the sources from which the browser is permitted to load resources, such as scripts, styles, and images, thereby reducing the risk of malicious code execution.

For more detailed information on CSP, refer to the MDN Web Docs on CSP.

Default Secure CSP (CSPv3)

By default, we support a strict CSPv3 configuration, which includes the strict-dynamic directive and nonce-based script management. See this web.dev article for more details:

Content-Security-Policy:
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  object-src 'none';
  base-uri 'self';

If you already have this policy in place, no changes are needed. Just remember to add nonce sources for scripts used by us. Nonces are unique values that are generated for each request, allowing you to identify which scripts are trusted. Learn more about using nonces in this tutorial on CSP.

CSPv2 and CSPv1

If your application cannot use CSPv3 features and must rely on source allowlisting, below are the relevant directives you’ll need to implement for Document Authoring to function correctly.

Example CSP Configuration for CSPv2/CSPv1

script-src:
  https://document-authoring-cdn.pspdfkit.com

If you’re applying other CSP directives, you’ll need to include the following entries to ensure Document Authoring functions correctly:

connect-src:
  https://document-authoring-cdn.pspdfkit.com

child-src:
  https://document-authoring-cdn.pspdfkit.com

font-src:
  https://document-authoring-cdn.pspdfkit.com

img-src:
  blob:
  data:
  https://document-authoring-cdn.pspdfkit.com

style-src:
  'unsafe-inline'

If your service only supports CSPv3, note that the child-src directive has been deprecated and replaced by frame-src and worker-src directives. You’ll need to use these in place of child-src for modern CSP configurations.

Using CSP via a Meta Tag

Outside of setting CSP headers server-side, you can also specify CSP directives directly in your HTML using a <meta> tag:

<meta
	http-equiv="Content-Security-Policy"
	content="default-src 'self'; script-src 'nonce-{random}' https://document-authoring-cdn.pspdfkit.com;"
/>

This method is particularly useful for testing CSP configurations or when server-side header management isn’t possible.

Firewall Considerations

In addition to configuring your CSP directives, if you’re behind a firewall, you may need to allow certain domains in your firewall settings to ensure Document Authoring functions correctly. The domain(s) listed above should be allowlisted in your firewall to allow outbound connections.

Other Resources

By following these guidelines, you’ll ensure that all functionality works out of the box and adheres to good security practices. Remember to keep your CSP directives updated as your application evolves and to test your configuration thoroughly to avoid breaking functionality.

For more in-depth guidance on CSP, refer to the MDN Web Docs and consider using tools like CSP Evaluator to analyze and refine your policy.