web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages - Administer & Monitor / CSP Headers: Adding a ...
Power Pages - Administer & Monitor
Answered

CSP Headers: Adding a specific URL in Security Panel Issue

(1) ShareShare
ReportReport
Posted on by CBDEV 42
Hi all,
 
 After applying some recomended security fixes for CSP Headers in the advanced configuration I am having issues displaying one of the web pages showing this error in the browser console:
 
 
When I try to add temporarily this 'unsafe-inline'  keyword in Script Origin section is not allowing this considering not valid the entrie:
 
 
What could be wrong here or this is not a incorrect way of trying to set this?. I am aware this unsafe-inline keyword is not a best CSP Header practice and is something I plan to fix before going into Production stage, for now I just want to show some changes to the users to be approved.
 
Any suggestion is appreciated,
 
Best Regards,

Carlos.
Categories:
General
I have the same question (0)
  • Verified answer
    Jerry-IN Profile Picture
    Jerry-IN 182 on at
    CSP Headers: Adding a specific URL in Security Panel Issue
    Hi  CBDEV,
     
    You’re running into a common pitfall with CSP (Content Security Policy) configuration in Power Pages. Here’s what’s happening:
    When you try to add 'unsafe-inline' as a Script Origin in the Security Panel, Power Pages marks it as invalid and doesn’t let you save it. That’s because 'unsafe-inline' is generally discouraged by modern security standards—it weakens CSP and opens the door for potential XSS attacks. Microsoft, for security reasons, restricts certain keywords like this in the Power Pages Security Panel, so the UI will prevent you from adding them even for temporary testing purposes.
    • Unfortunately, if the Power Pages security config doesn’t allow 'unsafe-inline', there’s no supported way to force it in via the interface. You might try workarounds like updating page-level HTML or JavaScript to avoid the need for inline scripts while you work on a better fix.
    • If you really need 'unsafe-inline' just for staging, consider exporting the site and manually updating the CSP headers in a development environment, not in production. Be sure to remove it before launching—using 'unsafe-inline' long-term is highly discouraged.
    • Ultimately, the best practice (and what’s enforced here) is to move all scripts to external .js files and avoid inline script blocks entirely. This will keep your site secure and compliant with platform policy.
    Recommendation:
    • If you need a quick workaround, explain to stakeholders why the UI blocks this for security, and demo your changes using supported script origins only. If something must be tested with 'unsafe-inline', do it in a local/dev copy—never on production or public-facing systems.
    Hope this clarifies things and helps you plan your next steps!
     
    Best regards,
    Jerald Felix
  • CBDEV Profile Picture
    CBDEV 42 on at
    CSP Headers: Adding a specific URL in Security Panel Issue
     
     Thank you very much for the clarification, and I completely agree that this question is bringing a topic that is not a best practice for the security reason you pointed out.  (Was most the rush of the day to show in the development environment some changes) 
     
    Configuring the CSP Headers even with the Security Analysis suggestions can lead to some issues if not completely understood your site code and objective.
     
    I will try your suggestion of moving all scripts to external .js files and I  will study deeper this CSP configuration before moving the site into production for external use. Also to reinforce as pointed out by you ,  the 'unsafe-inline'  is not a good practice in CSP Headers configuration.
     
    Best Regards,
    Carlos.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Tom Macfarlan – Community Spotlight

We are honored to recognize Tom Macfarlan as our Community Spotlight for October…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Fubar Profile Picture

Fubar 85 Super User 2025 Season 2

#2
Jerry-IN Profile Picture

Jerry-IN 54

#3
dgray304 Profile Picture

dgray304 39

Last 30 days Overall leaderboard

Featured topics

Product updates

Microsoft Power Platform Community release plans