Forum OpenACS Development: Re: Where do I setup CSP Policies (new security improvement)?
In general, the usage of content security policy generator can be controlled via the kernel parameter CSPEnabledP, where it can be turned on or off.
In your particular case, it looks to me as if you have updated acs-core, but not the openacs-bootstrap3-theme package. Can this be the case?
all the best
I had to change bootstrap shared parametres to serve css and js from local filesystem to avoid any block uri. Now I had some minor blocked uris  but some are mayor problems 
By the way, this is really an amazing work and a big security improvement
Concerning gravatar: if you have the version from github, this should be fine (see ). However, if you one is doing an "install from repository", one gets the "last released" version of the branch (with an appropriate tag). So far, i think nobody has released any version depending on CSPs to the release channels. The mixed version might explain the problems.
all the best
As you said before, problem is that I had an old version of bootstrap-theme (Versión 1.1 - HEAD). I had thought that git repository is updated with last changes (now version 220.127.116.11)
I realize that now, trying to do "git pull" I don't see these updates.
Perhaps it's a better setup strategy to use only openacs-core from git and install/upgrade from openacs repositories. I didn't do because of CSP violation, now changing kernelParameter I know how to overcome it. I'd try again
notice that you should switch on github (or after the "git clone") to the "oacs-5-9 branch" to see the actual updates on these packages (see ). For some of the oacs-packages, "oacs-5-9" is preselected, for some just"master". There seems to be no easy way for bulk-changes in the package setups.