Modifying default-src in Content-Security-Policy


I have a Custom UI component that uses a third-party script to render mathematical formulas. This script needs to download (many) fonts from the domain that the script itself is also coming from. However, the requests to this domain are getting blocked due to the CSP ‘default-src’. The ‘default-src’ value my browser gets from Atlassian is ‘self’.

I have checked the following pages, but couldn’t see any field that controls ‘default-src’. Is there any way to modify this CSP directive?

Bumping for visibility.

Thanks for bringing this up @CemGndodu .

At this stage, we won’t be adding default-src, but I’ve added a ticket in our internal backlog to allow you to specify font-src which will take precedence over the default-src rule which should support your use case.

1 Like

Support for specifying the font-src CSP directive has recently been added, see Fonts for details.

1 Like