I’m seeing a strange behaviour in the ChatGPT app I am currently developing. The exact same app, while added to my account and used with developer mode on works just fine. However, if I create it at the organization level and publish it, then try to use it without developer mode, I get these errors on every asset (css/js) my widgets are using:
Loading the stylesheet ‘…’ violates the following Content Security Policy directive: “style-src-elem ‘self’ ‘unsafe-inline’ https:// cdn. tailwindcss. com https:// cdn .jsdelivr.net https:// unpkg .com https://*.oaiusercontent.com https:// threejs .org”. The action has been blocked.
I understand this is a CSP issue but the domain is exactly the same here from what I can tell? Why is this suddenly blocked when the app runs outside of developer mode?
We are experiencing the same issue at the moment. Do you know if there has been any updates to this or a workaround, since this thread seems quite old by now?
Hey @florent.segouin, @ls3 and @gustavKlingbiel, yeah, that’s odd. Dev mode and published mode shouldn’t behave wildly differently if everything’s configured the same.
One important detail though: once the app is published, ChatGPT strictly enforces whatever CSP you declare in your component resource metadata. In dev mode it can feel more permissive, but published apps rely entirely on the _meta.ui.csp (or the legacy _meta["openai/widgetCSP"]) definition. You can refer to these docs.
Can you confirm whether you’ve explicitly defined one of these in your registerResource call?