WebViewer 11.7.0 CSP issue: Inline script violation despite cspNonce

Product: Pdftron Webviewer

Product Version: 11.7.0

We’re using WebViewer 11 with a strict nonce-based script-src CSP. We pass cspNonce, but webviewer-core.min.js still triggers Executing inline script violates Content Security Policy. Is this expected? Does cspNonce apply only to dynamically created styles, or should it also nonce the runtime-generated inline scripts? If not, is WebViewer.Iframe() with a separate CSP the recommended deployment model?

1 Like

Hi there,

Within WebViewer, cspNonce is only valid with the style-src CSP, as shown in our guide: Using a Content Security Policy (CSP) with WebViewer | Apryse documentation

You should be able to workaround this via the Iframe implementation of WebViewer with a less restricted CSP.

Best regards,

Kevin

1 Like