CSP-compatible output via external script for build-docs

When using `@redocly/cli build-docs` to generate a static HTML file, ReDoc injects the entire rendered state as an inline `<script>` block:

```html
<script>
  const __redoc_state = { ... }; // entire OpenAPI spec serialized here
  var container = document.getElementById('redoc');
  Redoc.hydrate(__redoc_state, container);
</script>
```

This inline script violates **Content Security Policy (CSP)** directives that disallow `'unsafe-inline'` for `script-src`. In many enterprise setups, the CSP is enforced by an **API gateway or reverse proxy** and cannot be modified by the application team, making it impossible to whitelist inline scripts.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP-compatible output via external script for build-docs #2782

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CSP-compatible output via external script for build-docs #2782

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions