The use of HTML in email has long provided useful formatting capabilities, but the complexity in today's HTML rendering engines also provides many attack vectors for malicious parties to invade the privacy of message recipients. These engines provide many different avenues to load resources from third-party servers or execute the contents of scripts, making it extremely difficult to ensure that HTML authored by third parties doesn't trigger unwanted behavior.
Browser developers realized this was a significant problem quite some time ago, and in response developed a standard called Content Security Policy (CSP), which allows developers to specify clearly and comprehensively what resources may be loaded from where and what scripts are allowed to run. First proposed in 2004 and recognized as a W3C standard in 2012, CSP has long been supported by all major browsers and is widely used to protect HTML content.
The exact CSP policy in use can vary depending on the source of the HTML being displayed and the security policies configured by the administrator, so we cannot document the exact policy in use here.
For additional information, please refer to the following:
Support Contact Information
The AirWatch Team