Apex Content-Security-Policy Syntax Not Working In Apex 20.1 and Apex 20.2
(Doc ID 2812492.1)
Last updated on APRIL 03, 2024
Applies to:
Oracle Application Express (APEX) - Version 20.1 and laterOracle Cloud Infrastructure - Database Service - Version N/A and later
Information in this document applies to any platform.
Symptoms
While trying to access the Apex URL after setting the Content Security Policy at the Instance Security Settings the details are not appearing in the Response Headers during the runtime.
1. Login into Apex Administration and navigate to Instance Settings.
2. Go to Security ----> HTTP Protocol tab.
3. Set the following parameters.
X-Frame-Options: DENY
x-powered-by: intrawebHHA
Content-Security-Policy: script-src-attr 'unsafe-inline'; script-src-elem
'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem
'unsafe-inline'; report-uri https://ruat.report-uri.com/r/d/csp/wizard
4. Apply the Changes
5. Run the Apex Application Builder URL and enable Developer Tools.
6. The Security Policy details are not appearing in the Response Headers.
The behavior prior to 19.2 was appearing as follows.
The behavior in 20.1 and 20.2 is appearing as follows.
Changes
The information used to appear with the older versions of Apex i.e 19.2
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |