How Content Security Policy (CSP) Setup Affects the “Save” Functionality in Bold Reports Designer

In Bold Reports Designer, the Save and Save As → To Device functionalities rely on form submissions to the server-side reporting API. If your environment has a Content Security Policy (CSP) configured, certain directives specifically form-action may block these operations, resulting in failed save attempts.

This article explains why this happens and how to configure CSP properly to support saving reports.

Why the Save Functionality Fails

If your current CSP configuration includes the following directive:

form-action 'self'; 

This policy restricts form submissions to the same origin as the Report Designer. If your reporting service is hosted on a different origin (e.g., http://10.99.90.250), the browser blocks the form submission as a security measure.

Affected API Endpoint

/reporting/reportservice/api/Designer/PostFormDesignerAction/ 

Recommended Fix

To enable the Save functionality, explicitly allow the reporting service’s URL in the form-action directive.

form-action 'self' http://10.99.90.250; 

If your setup includes multiple reporting servers or dynamically assigned IPs, you can use a wildcard. However, this approach reduces the strictness of the CSP and may introduce security risks:

form-action 'self' http://10.99.90.*;