Forum Discussion

asdasdasd-c36e9's avatar
asdasdasd-c36e9
Community Member
7 years ago

Storyline 3 CSP (Content Security Policy) problems

I was just wondering if there's any push on getting Storyline CSP compliant? I know I can add a script-src with unsafe-inline, but that kind of diminishes the value of the header in the first place....
storyline 360
asdasdasd-c36e9's avatar
asdasdasd-c36e9
Community Member
7 years ago

Well, CSP is variable, so at least removing all inline JS and not using eval would already make it a lot better (also when considering performance!).

For anyone else bumping into this thread, this is the CSP header I currently implemented and works with latest StoryLine (the plus side, it will also block StoryLine's telemetry so you don't have to manually uncheck the privacy checkbox in every install);

"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;media-src 'self' data:;font-src 'self' data:;" :

Especially the script-src part is wide open (and the most important part of CSP in the first place IMHO). Removing all inline JS and especially removing all eval in the JS would already make me a lot happier :)

Injecting into iFrames is understandable. That could easily be an option when exporting, and adjusting the CSP header accordingly.

The thing is that I think a lot of implementations will upload StoryLine content through websites (to publish e-learning content) and that these headers might be able to save you from some nastiness along the way.