When using @redocly/cli build-docs to generate a static HTML file, ReDoc injects the entire rendered state as an inline <script> block:
<script>
const __redoc_state = { ... }; // entire OpenAPI spec serialized here
var container = document.getElementById('redoc');
Redoc.hydrate(__redoc_state, container);
</script>This inline script violates Content Security Policy (CSP) directives that disallow 'unsafe-inline' for script-src. In many enterprise setups, the CSP is enforced by an API gateway or reverse proxy and cannot be modified by the application team, making it impossible to whitelist inline scripts.
When using
@redocly/cli build-docsto generate a static HTML file, ReDoc injects the entire rendered state as an inline<script>block:This inline script violates Content Security Policy (CSP) directives that disallow
'unsafe-inline'forscript-src. In many enterprise setups, the CSP is enforced by an API gateway or reverse proxy and cannot be modified by the application team, making it impossible to whitelist inline scripts.