Support Article
Content Security Policy with “Refused to load image” error
SA-11432
Summary
User has set up a Content Security Policy and is trying to run a flow. User witnesses a JavaScript error in the console that comes from the Pega-provided JS file.
Error Messages
Refused to load the image 'data:image/gif;base64,xxxxxxxxxxxxxxxx==' because it violates the following Content Security Policy directive: "img-src 'self' https://www.<a_website>.com https://<another_website>.net".
(anonymous function) @ dvtoolbar_1781386813!!.js:4(anonymous function) @ dvtoolbar_1781386813!!.js:369
Steps to Reproduce
- Set the Content Security Policy in the Application rule to allow only some of the websites.
- Try to open a Section rule and then see the error message in the console.
Root Cause
A misunderstanding of Pega software functionality causes a problem in your application.
This issue is triggered by your use of the DVToolbarscript JS file, which violates the Content Security Policy script.
var emptyImg = new Image();
emptyImg.src = 'data:image/gif;base64,xxxxxxxxxxxxxxxxxxxxxxxxx==';
Resolution
Modify the DVToolbarscript JS file in your application to comply with the Content Security Policy Directive for img-src.
Refer to the Pega 7.1.8 Help topic, Content Security Policies - Completing the Policy Definition tab, https://pdn-stg.pega.com/node/156616/.
Refer to the Content Security Policy website, the Directive Reference for img-src , which defines valid sources of images.
The Content Security Policy Directive Reference is based on the Content Security Policy 1.0 W3C Candidate Recommendation.
See also the Content-Security-Policy Error Messages.
Published August 31, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.