Content Security Policy

Content Security Policy (CSP) is a security feature that helps prevent against various attack vectors, including cross-site scripting (XSS), clickjacking, and other code injection attacks. CSP enables a site to control which resources a page is allowed to load.

When the browser detects a CSP violation, it logs it to the console:

ConsoleErrors.png
GenerateDocumentError.png

Generate Word document action

Due to CSP, Generate Word document action in Modern Forms/List Actions/Automation Actions may suddenly stop generating documents. To resolve this issue, follow one of next options:

Option 1 - Update Teamsware Studio add-in (recommended)

  1. Update Teamsware Studio modern add-in to version 1.3.113 or later
  2. If you are using deployment
    • Create a new package
    • Update a deployment

Option 2 - Add Trusted Script Sources

  1. Manually add the following entry into Trusted script sources in SharePoint admin center by this URL:  https://yourtenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/contentSecurityPolicy
     

External script references

Due to CSP, External script usage in Modern Forms/List Actions/Automation Actions may stop loading scripts. To resolve this issue, follow one of next options:

  • If you are using /// <reference path="path-to-js-file" />, you need to update Teamsware Studio modern add-in to version 1.3.113 or later
Scriptreferences.png


Note 1: If you are using external URL (For example: https://cdn.jsdelivr.net/npm/signature_pad@2.3.2/dist/signature_pad.min.js) you need to add this URL into Trusted Script Sources in SharePoint admin center by this URL: https://yourtenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/contentSecurityPolicy
Note 2: Loading external scripts is not supported in Visible and Name expressions in List Actions

  • Do not use 'LoadSodKey'. This method adds script inline and will be blocked by CSP. Instead, use script reference in the following format /// <reference path="path-to-js-file" />

Inline scripts in Teamsware controls/expressions

Teamsware provides the ability to write custom JavaScript in Expressions and custom HTML in Rich Text Controls. These customizations may include inline scripts or inline event handlers created by users in their solutions.

The following cases may be blocked by CSP:

  • Inline Event Handlers (JavaScript embedded in HTML attributes):
<button onclick="alert('Hi')">Click</button>
<body onload="init()">...</body>
<input onkeyup="myFunction();">
  • JavaScript embedded in href or src attributes:
<a href="javascript:alert('Hi')">Click</a>
  • Document.write() with Inline Scripts:
document.write("<script>alert('Hi')</script>");
  • Dynamically Created Inline Scripts:
const s = document.createElement('script');
s.textContent = "alert('Hi')";
document.head.appendChild(s);
  • InnerHTML or insertAdjacentHTML with <script>:
element.innerHTML = "<script>alert('Hi')</script>";

 

To avoid scripts being blocked by CSP, use the following approaches:

  1. For scripts - create .js file and use /// <reference path="path-to-js-file" /> in Expressions and Actions
  2. For inline event handlers - use addEventListener. For example, add the following code to the Execute script action in the After-Form load actions to assign myFunctions to my-element1
function myFunction () {
 alert("My Function");
}
//Element ID defined e.g. in Rich Text Control
const elementId = 'my-element1';
    const element = document.getElementById(elementId);
    if (element) {
        element.addEventListener('keyup', myFunction);
    }

Note: The following jQuery code will also work

$('#my-element1').on('keyup', myFunction);