Securing web applications is always difficult and a moving target. Fairly recently, web browsers have started supporting the
Content-Security-Policy HTTP header. This header is designed to help fight Cross Site Scripting (XSS) and data injection attacks.
Up until Orbeon Forms 2017.2, Orbeon Forms includes some inline scripts and CSS in the HTML served to the browser. The purpose of this is, in particular, to provide some data and functions specific to the current form. So setting a
Content-Security-Policy header which disables inline scripts and CSS would break Orbeon Forms.
With Orbeon Forms 2018.1 and newer, on the other hand, Orbeon Forms no longer produces inline scripts and CSS this by default. This can make Orbeon Forms safer by default if you set a stricter
In addition, and optionally, Orbeon Forms can generate the
Content-Security-Policy header for you via a very simple configuration.
More details are available in the documentation.
We hope you like this new feature of the upcoming Orbeon Forms 2018.1.