Skip to Main Content
Feature Request FR-4316
Product Area Security
Status CLOSED

2 Voters

Allow explicit configuration of CSP (Content Security Policy) at application and page level

igor.duca Public · Mar 6 2025

Idea Summary
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks, including cross-site scripting (XSS) and data injection attacks. These
attacks are used for everything from data theft to site defacement to distribution of malware. In the latest APEX version (24.2) the CSP can be set in the “Application properties / Security / Browser Security / HTTP Response Headers”. However the setting require advanced knowhow and is set for all pages.   

Use Case
Most of the APEX applications are using resources only from the local server. Most of the security assessments of APEX applications are revealing the week configuration of the CSP. The CSP is often set more relaxed to prevent issues with APEX engine when loading resources (css, images, scripts). It would help if APEX will offer a default safe CSP configuration and all required APEX resources (image files) will match that configuration.

Preferred Solution (Optional)
Offer a dedicated setting for Content Security Policy set by default to all pages. The Page setting should offer the option to overwrite the default setting if required, for instance when a particular page uses some fonts or scripts from another machine.

We reviewed this idea carefully, and while it was interesting, we concluded that due to all the internal implications we need to take into account, it is unlikely to make its way into APEX.

Comments

Comments

  • igor.duca OP 4 months ago

    Forgot to mention: this could help to get use of the recently introduced new feature “FR-2425 Generate nonce for inline scripts”. At the moment the nonce random string is generated and injected in all script tags, but the Content Security Policy does not contain the nonce string script-src 'nonce-rAnd0m'

  • vincent morneau Admin OP 4 months ago

    APEX is making steady progress towards complete CSP without unsafe-inline and unsafe-hashes compliance in the past few releases, with more to come in future releases.

    To enable CSP in your application, one must add an HTTP Response Header to their application security attributes. An example could be

    Content-Security-Policy: default-src 'self' https://static.oracle.com 'nonce-jY9oXSEiJW1PIq42so9I4Q' 'unsafe-hashes' 'sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='; object-src 'none'; img-src 'self' https://static.oracle.com data:; frame-ancestors 'self';

    However APEX does not come with a pre-configured HTTP Response Header because it is up to the application to adhere to their CSP rules. It isn't up to the platform to decide.