We have a brand new look! Take a tour with us and explore the latest updates on Adobe Support Community.
We use RoboHelp 2019 to author WebHelp content for the online help of our web application. We use the RoboHelp 2015 command-line to generate the output as part of our continuous integration system with the final installs of the web application.
Due to new customer security requirements and changing guidelines for best practices in web application development, we have added a Content-Security-Policy HTTP header to the configuration for IIS. We are not allowed to use the 'unsafe-inline' or 'unsafe-eval' directives in this header. We have had to rework many of our web application pages to match these constraints, but the remaining piece is the online help.
Has anyone else encountered similar issues with Content-Security-Policy headers in WebHelp?
So, you are using RH2019 to create WebHelp - is that the Classic version or New UI? What was the bit about using RH2015? Or was that just a typo? Not sure of the relevance of how you create the output to your JS issue. You might know that WebHelp has been phased out in RH2020+ in favour of HTML5 that just has the responsiveness turned off. Have you experimented with either the RH2019 New UI or RH2020 versions' HTML5 output to see if you have the same JS issues?
If you have & are still stuck, then I think you need to have a chat with RH support - see https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your support contact options.
We are using RH2019 Classic to author the content. The bit about RH2015 is not a typo, unfortunately. The continuous integration server has RH2015 installed and we use the command-line as part of the build pipeline. When we update to RH2020 on the build server, we will update to the Responsive HTML5 output.
Thanks for your help!
Really? How would RH2015 be able to digest a RH2019 Classic project? I always thought it was a one-way street. If it IS possible, then you're really producing "old" HTML out of RH2015 - there could be a whole pile of security fixes that you're missing in that output (since it's not getting any patches anymore).
I'm surprised that the newest RH2020 frameless HTML5 output would have the same issues - let us know what you find out from the RH support folks.
I was mistaken, it seems that we used RH2019 Classic to generate the HTML5 output. We're upgrading the project to RH2019 New UI and will see where it leads.
I'll circle back with the results.
We upgraded the project to RoboHelp 2019 New UI and re-generated the output. There are fewer inline scripts, but we still need to intercept them to generate secure hashes. Most of the setTimeout function calls have been updated to the non-eval version, but there are still a few more that we'll need to address.
There is a possibility of a phone call with RH support.
I will reply as we get further along with this issue.
After a call with an RH support technician, we tried the RoboHelp 2019 Frameless output, which still has inline scripts (that we can work around), but we have yet to run into any eval statements.
Since we also have 2020 available, we will update to RoboHelp 2020 on our continuous integration server and using the Frameless output.
Thank you for your help.
@Tom.Walker, can we jump on a call (and maybe a screen sharing session) with you guys? With this kind of challenge, it is probably more efficient if the Adobe pros who are deeper in such specialized security things talk directly with you guys. Looks to me like a little bit out of scope of what the community forum here can assist with.
Drop us a line at firstname.lastname@example.org and put me on CC (my last name at adobe dot com).
Thank you for the help.