Enforce Content Security Policy for External Career Sites

Take note that beginning with release 26B you can enforce content security policies for your external career sites. If you're hosting career site images, videos, or other content externally you’ll need to add the hosting domains to an allowlist.

Note: Content security policies will become mandatory starting with the 26C release. You can prepare for this mandatory change now by configuring whitelist and enforce content security policies ahead of time. This requirement applies to all externally hosted images and videos visible to external candidates on the career site, including images or videos added to career site pages using the career site editor, and requisition media added through job formatting,

Business benefit: This feature allows for a more secure browsing experience.

Steps to enable and configure

1. In the ORA_IRC_CE_CUSTOM_CONTENT_POLICY_HEADERS profile option, add your external hosting domains to the allowlist. Domains must be separated with a space. This profile option was introduced in release 26A. See Add External Hosting Domains to the Allowlist for additional information. 

2. Enable the appropriate values for the ORA_IRC_CE_CSP_ENABLEMENT_MODE profile option. For details, see How do I enable a profile option? Choose one of the following:

• Enforce - The content security policy is enabled. This option will allow you to start enforcing content security policy now.
• Off - The content security policy is disabled (default in 26B).
• Report - The content security policy isn't enforced, so there isn't any image or video blocking in Candidate Experience. However, all violations are reported in the browser console or in the dedicated helper tool that will help you identify domains for whitelist. To use the helper tool, you'll need to install CustomJS within the Theme tab of your career site. For details, see Preparing for Mandatory Content Security Policies on My Oracle Support (KB873325).