Skip to content

af open document viewer fails to render — Prism not defined (CSP blocks external scripts) #269

Closed
#270
Closed
af open document viewer fails to render — Prism not defined (CSP blocks external scripts)#269
#270
@waleedkadous

Description

@waleedkadous
waleedkadous
opened on Feb 15, 2026

Bug Description

Opening documents with af open shows the outer frame ("Switch to editing" button visible) but the document content area is blank.

Console Errors

  1. Loading the stylesheet '<URL>' violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'" — CSP blocks PrismJS stylesheet
  2. Loading the script '<URL>' violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' <URL>" — CSP blocks PrismJS script (42 occurrences)
  3. Uncaught (in promise) ReferenceError: Prism is not defined — at renderFile (line 919) and init (line 616)

Root Cause

The document viewer (open.html) attempts to load PrismJS from an external CDN. The page's Content Security Policy blocks both the script and its stylesheet from loading. When the rendering code calls Prism, it's undefined because the script never loaded.

Expected

Document content renders with syntax-highlighted code blocks.

Actual

Blank content area. Outer chrome loads fine.

Observed In

codev-cloud project, af open command.

Fix Direction

Either:

  • Add the CDN domain to the CSP allowlist, or
  • Bundle PrismJS locally and serve from Tower's static files

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions