Oracle Transportation Management (OTM) – Oracle Guided Learning Integration: CSP Error Analysis and Resolution

Problem Summary:

The Content Security Policy (CSP) error in the Oracle Transportation Management (OTM) application occurs when the browser blocks specific resources (such as scripts or stylesheets) from loading due to OTM’s strict security configuration.

CSP is a browser-level protection mechanism that defines which domains are permitted to load or embed application resources, helping to prevent security risks such as cross-site scripting and data injection.

In this case, the browser refused to load the stylesheet

https://guidedlearning-apac.oracle.com/fe/edge/static/css/stTip_2.min.css because the domain guidedlearning-apac.oracle.com was not included in OTM’s CSP style-src directive. As a result, Guided Learning features may fail to load or function correctly.

Depending on your data center region, include the domain in OTM CSP Headers:

Additionally, when an external application, such as Oracle Guided Learning (OGL), attempts to integrate with or embed OTM content through an iFrame or cross-domain request, the browser identifies CSP violations and blocks the content, resulting in integration failure.

To resolve this issue, the OTM CSP configuration should be reviewed and updated to include the trusted domain (guidedlearning-apac.oracle.com) under the allowed sources. Alternatively, Oracle Cloud Support should be engaged to whitelist the required domain and securely adjust the CSP settings.

How to Troubleshoot:

  1. Check the browser console: Open the Developer Tools (Console) and look for error messages such as “Refused to load...”.
  2. Identify the blocked resource: which file or domain (e.g., guidedlearning-apac.oracle.com) is being blocked.
  3. Review the CSP settings: In the Network tab, locate the Content-Security-Policy header.
  4. Compare and identify missing domains: If the blocked domain is not listed in the CSP directives, it indicates the source of the issue.

Root Cause Analysis:

The CSP (Content Security Policy) error occurred because the OTM application’s security policy did not allow loading resources from the domain guidedlearning-apac.oracle.com. The OTM instance is configured with a strict CSP rule that only permits styles and scripts from specific domains (like guidedlearning.oracle.com), but not from its regional variant (guidedlearning-apac.oracle.com). When the browser attempted to load guided learning stylesheets from this domain, it blocked them for security reasons. This restriction caused the guided learning or smart tip features to fail to load properly.

Resolution / Fix:

To resolve the CSP (Content Security Policy) error in the OTM application, the missing domain needs to be added to the list of allowed sources in the CSP configuration. Specifically, the domain guidedlearning-apac.oracle.com should be included under the style-src and script-src directives so that the browser can load the required guided learning resources without being blocked.

If the OTM environment is managed by Oracle Cloud, raise a Service Request (SR) with Oracle Support to update or whitelist the required domain in the CSP policy.

After the configuration is updated:

  1. Update the OTM environment’s CSP configuration to include trusted OGL domains under the frame-src and connect-src directives, allowing secure communication between OGL and OTM.
  2. Verify the integration using browser developer tools to ensure there were no CSP violations or blocked requests.
  3. Clear the browser cache and restarted the OTM application to ensure the updated CSP policies were applied successfully.
  4. Retest the end-to-end integration flow and confirmed that OGL and OTM communication functioned as expected without any CSP-related errors.

    This ensures the guided learning integration works smoothly without compromising OTM’s security controls.