Symptom
Can inline javascript be disabled and eval statements blocked in Content Security Policy (CSP) in CSB.
Does the presence of “unsafe-inline” and “unsafe-eval” mean there is a security violation.
Environment
SAP SuccessFactors Recruiting Marketing
Resolution
Background: Several customers have requested increased restrictions on Content Security Policy directives for the Career Site Builder (CSB). Specifically, restricting inline JavaScript and the use of the eval statement.
Security implications: Please keep in mind that these CSP directives are not essential for security, they are providing a second line of defense against injection attacks. Our product utilizes the Enterprise Security API (ESAPI) for validating untrusted user input values and output values. Provided we are utilizing the ESAPI effectively, injection attacks are not possible.
However, increased CSP is considered a best practice by some security experts and several of our customers have requested this. As a result, Engineering and Product Management have examined the issue and have crafted an execution plan.
Execution plan: It is not feasible for us to modify the CSP directives across the board for all customers. The CSB platform allows for site customization using custom JavaScript and custom plugins. Modifying these directives in the core application would potentially break hundreds of our customer’s career sites.
For this reason, our plan is to provide an opt-in switch for turning on these restrictions. This will allow customers to review and adjust their career sites as necessary before enabling the new CSP directives.
Timeline: The roll out of this enhancement will require significant regression testing across the product to ensure compatibility. Currently this topic is slated for the H1 2026 release.
Click on star to bookmark this article in order to receive updates about this issue.
For more information about updates from subscribed KBAs, please refer to KBA 2171560 - How to mark a KBA or SAP Note as a favorite and get notified when it is updated - SAP for Me.
See Also
3044364 - Enabling Content Security Policy for RMK Site - Recruiting Marketing
Keywords
Content Security Policy, unsafe, vulnerability, CSB, Recruiting Marketing, Header, inline, eval , KBA , LOD-SF-RMK-CSB , Career Site Builder , How To