CSP origins
CSP origins allow you to configure domains, or origins, that Qlik Sense client visualizations/extensions are allowed to communicate with.
Endpoints
Retrieves all content security policies for a tenant.
Facts
Rate limit | Tier 1 (1000 requests per minute) |
Categories |
Query Parameters
- childSrcboolean
Filter resources by directive 'childSrc', true/false.
- connectSrcboolean
Filter resources by directive 'connectSrc', true/false.
- connectSrcWSSboolean
Filter resources by directive 'connectSrcWSS', true/false.
- fontSrcboolean
Filter resources by directive 'fontSrc', true/false.
- formActionboolean
Filter resources by directive 'formAction', true/false.
- frameAncestorsboolean
Filter resources by directive 'frameAncestors', true/false.
- frameSrcboolean
Filter resources by directive 'frameSrc', true/false.
- imgSrcboolean
Filter resources by directive 'imgSrc', true/false.
- limitnumber
Maximum number of CSP-Origins to retrieve.
- mediaSrcboolean
Filter resources by directive 'mediaSrc', true/false.
- namestring
Filter resources by name (wildcard and case insensitive).
- nextstring
Cursor to the next page.
- objectSrcboolean
Filter resources by directive 'objectSrc', true/false.
- originstring
Filter resources by origin (wildcard and case insensitive).
- prevstring
Cursor to previous next page.
- scriptSrcboolean
Filter resources by directive 'scriptSrc', true/false.
- sortstring
Field to sort by, prefix with -/+ to indicate order.
Can be one of: "name""-name""origin""-origin""createdDate""-createdDate""modifiedDate""-modifiedDate"
- styleSrcboolean
Filter resources by directive 'styleSrc', true/false.
- workerSrcboolean
Filter resources by directive 'workerSrc', true/false.
Responses
200
application/json
OK Response
- application/jsonobject
application/json properties
- dataarray of objects
data properties
- namestring
The name for this entry.
- imgSrcboolean
Specifies valid sources of images and favicons.
- originstringRequired
The origin that the CSP directives should be applied to.
- fontSrcboolean
Specifies valid sources for loading fonts.
- childSrcboolean
Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
Specifies valid sources for stylesheets.
- objectSrcboolean
Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
Specifies valid sources for JavaScript.
- workerSrcboolean
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
Allow forms to be submitted to the origin.
- createdDatestring
The UTC timestamp when the CSP entry was created.
- descriptionstring
The reason for adding this origin to the Content Security Policy.
- modifiedDatestring
The UTC timestamp when the CSP entry was last modified.
- connectSrcWSSboolean
Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
- idstring
The CSP entry's unique identifier.
-
- linksobject
links properties
- nextobject
next properties
- hrefstringRequired
URL to a resource request.
-
- prevobject
prev properties
- hrefstringRequired
URL to a resource request.
-
- selfobject
self properties
- hrefstringRequired
URL to a resource request.
-
-
-
400
application/json
Bad Request
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
401
application/json
Unauthorized
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
403
application/json
Forbidden
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
500
application/json
Internal Server Error
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
503
application/json
Service Unavailable
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \-H "Authorization: Bearer <access_token>"
Response
{ "data": [ { "name": "string", "imgSrc": true, "origin": "string", "fontSrc": true, "childSrc": true, "frameSrc": true, "mediaSrc": true, "styleSrc": true, "objectSrc": true, "scriptSrc": true, "workerSrc": true, "connectSrc": true, "formAction": true, "createdDate": "2018-10-30T07:06:22Z", "description": "string", "modifiedDate": "2018-10-30T07:06:22Z", "connectSrcWSS": true, "frameAncestors": true, "id": "string" } ], "links": { "next": { "href": "string" }, "prev": { "href": "string" }, "self": { "href": "string" } }}
Creates a new content security policy for an origin.
Facts
Rate limit | Tier 2 (100 requests per minute) |
Categories |
Request Body
Requiredapplication/json
- application/jsonobject
application/json properties
- namestring
The name for this entry.
- imgSrcboolean
Specifies valid sources of images and favicons.
- originstringRequired
The origin that the CSP directives should be applied to.
- fontSrcboolean
Specifies valid sources for loading fonts.
- childSrcboolean
Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
Specifies valid sources for stylesheets.
- objectSrcboolean
Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
Specifies valid sources for JavaScript.
- workerSrcboolean
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
Allow forms to be submitted to the origin.
- descriptionstring
The reason for adding this origin to the Content Security Policy.
- connectSrcWSSboolean
Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
-
Responses
201
application/json
OK Response
- application/jsonobject
application/json properties
- namestring
The name for this entry.
- imgSrcboolean
Specifies valid sources of images and favicons.
- originstringRequired
The origin that the CSP directives should be applied to.
- fontSrcboolean
Specifies valid sources for loading fonts.
- childSrcboolean
Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
Specifies valid sources for stylesheets.
- objectSrcboolean
Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
Specifies valid sources for JavaScript.
- workerSrcboolean
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
Allow forms to be submitted to the origin.
- createdDatestring
The UTC timestamp when the CSP entry was created.
- descriptionstring
The reason for adding this origin to the Content Security Policy.
- modifiedDatestring
The UTC timestamp when the CSP entry was last modified.
- connectSrcWSSboolean
Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
- idstring
The CSP entry's unique identifier.
-
400
application/json
Bad Request
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
401
application/json
Unauthorized
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
403
application/json
Forbidden
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
500
application/json
Internal Server Error
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
503
application/json
Service Unavailable
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \-X POST \-H "Content-type: application/json" \-H "Authorization: Bearer <access_token>" \-d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"description":"string","connectSrcWSS":true,"frameAncestors":true}'
Request
{ "name": "string", "imgSrc": true, "origin": "string", "fontSrc": true, "childSrc": true, "frameSrc": true, "mediaSrc": true, "styleSrc": true, "objectSrc": true, "scriptSrc": true, "workerSrc": true, "connectSrc": true, "formAction": true, "description": "string", "connectSrcWSS": true, "frameAncestors": true}
Response
{ "name": "string", "imgSrc": true, "origin": "string", "fontSrc": true, "childSrc": true, "frameSrc": true, "mediaSrc": true, "styleSrc": true, "objectSrc": true, "scriptSrc": true, "workerSrc": true, "connectSrc": true, "formAction": true, "createdDate": "2018-10-30T07:06:22Z", "description": "string", "modifiedDate": "2018-10-30T07:06:22Z", "connectSrcWSS": true, "frameAncestors": true, "id": "string"}
Returns details for a specific content security policy.
Facts
Rate limit | Tier 1 (1000 requests per minute) |
Categories |
Path Parameters
- idstringRequired
The CSP entry's unique identifier.
Responses
200
application/json
OK Response
- application/jsonobject
application/json properties
- namestring
The name for this entry.
- imgSrcboolean
Specifies valid sources of images and favicons.
- originstringRequired
The origin that the CSP directives should be applied to.
- fontSrcboolean
Specifies valid sources for loading fonts.
- childSrcboolean
Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
Specifies valid sources for stylesheets.
- objectSrcboolean
Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
Specifies valid sources for JavaScript.
- workerSrcboolean
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
Allow forms to be submitted to the origin.
- createdDatestring
The UTC timestamp when the CSP entry was created.
- descriptionstring
The reason for adding this origin to the Content Security Policy.
- modifiedDatestring
The UTC timestamp when the CSP entry was last modified.
- connectSrcWSSboolean
Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
- idstring
The CSP entry's unique identifier.
-
400
application/json
Bad Request
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
401
application/json
Unauthorized
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
403
application/json
Forbidden
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
404
application/json
Not found
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
500
application/json
Internal Server Error
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
503
application/json
Service Unavailable
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \-H "Authorization: Bearer <access_token>"
Response
{ "name": "string", "imgSrc": true, "origin": "string", "fontSrc": true, "childSrc": true, "frameSrc": true, "mediaSrc": true, "styleSrc": true, "objectSrc": true, "scriptSrc": true, "workerSrc": true, "connectSrc": true, "formAction": true, "createdDate": "2018-10-30T07:06:22Z", "description": "string", "modifiedDate": "2018-10-30T07:06:22Z", "connectSrcWSS": true, "frameAncestors": true, "id": "string"}
Updates a content security policy.
Facts
Rate limit | Tier 2 (100 requests per minute) |
Categories |
Path Parameters
- idstringRequired
The CSP entry's unique identifier.
Request Body
Requiredapplication/json
- application/jsonobject
application/json properties
- namestring
The name for this entry.
- imgSrcboolean
Specifies valid sources of images and favicons.
- originstringRequired
The origin that the CSP directives should be applied to.
- fontSrcboolean
Specifies valid sources for loading fonts.
- childSrcboolean
Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
Specifies valid sources for stylesheets.
- objectSrcboolean
Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
Specifies valid sources for JavaScript.
- workerSrcboolean
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
Allow forms to be submitted to the origin.
- descriptionstring
The reason for adding this origin to the Content Security Policy.
- connectSrcWSSboolean
Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
-
Responses
200
application/json
OK Response
- application/jsonobject
application/json properties
- namestring
The name for this entry.
- imgSrcboolean
Specifies valid sources of images and favicons.
- originstringRequired
The origin that the CSP directives should be applied to.
- fontSrcboolean
Specifies valid sources for loading fonts.
- childSrcboolean
Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
Specifies valid sources for stylesheets.
- objectSrcboolean
Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
Specifies valid sources for JavaScript.
- workerSrcboolean
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
Allow forms to be submitted to the origin.
- createdDatestring
The UTC timestamp when the CSP entry was created.
- descriptionstring
The reason for adding this origin to the Content Security Policy.
- modifiedDatestring
The UTC timestamp when the CSP entry was last modified.
- connectSrcWSSboolean
Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
- idstring
The CSP entry's unique identifier.
-
400
application/json
Bad Request
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
401
application/json
Unauthorized
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
403
application/json
Forbidden
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
404
application/json
Not found
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
500
application/json
Internal Server Error
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
503
application/json
Service Unavailable
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \-X PUT \-H "Content-type: application/json" \-H "Authorization: Bearer <access_token>" \-d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"description":"string","connectSrcWSS":true,"frameAncestors":true}'
Request
{ "name": "string", "imgSrc": true, "origin": "string", "fontSrc": true, "childSrc": true, "frameSrc": true, "mediaSrc": true, "styleSrc": true, "objectSrc": true, "scriptSrc": true, "workerSrc": true, "connectSrc": true, "formAction": true, "description": "string", "connectSrcWSS": true, "frameAncestors": true}
Response
{ "name": "string", "imgSrc": true, "origin": "string", "fontSrc": true, "childSrc": true, "frameSrc": true, "mediaSrc": true, "styleSrc": true, "objectSrc": true, "scriptSrc": true, "workerSrc": true, "connectSrc": true, "formAction": true, "createdDate": "2018-10-30T07:06:22Z", "description": "string", "modifiedDate": "2018-10-30T07:06:22Z", "connectSrcWSS": true, "frameAncestors": true, "id": "string"}
Deletes a specific content security policy.
Facts
Rate limit | Tier 2 (100 requests per minute) |
Categories |
Path Parameters
- idstringRequired
The CSP entry's unique identifier.
Responses
204
No Content response.
400
application/json
Bad Request
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
401
application/json
Unauthorized
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
403
application/json
Forbidden
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
404
application/json
Not found
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
500
application/json
Internal Server Error
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
503
application/json
Service Unavailable
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \-X DELETE \-H "Authorization: Bearer <access_token>"
Retrieves the full content security policy header (including all configured policies and origins) for the tenant.
Facts
Rate limit | Tier 1 (1000 requests per minute) |
Categories |
Header Parameters
- Acceptstring
The Accept request HTTP header indicates which content types, expressed as MIME types, the client is able to understand
Can be one of: "application/json""text/plain"
Responses
200
text/plain
OK Response
- text/plainstring
200
application/json
OK Response
- application/jsonobject
application/json properties
- Content-Security-Policystring
The compiled CSP header.
-
401
application/json
Unauthorized
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
406
application/json
Not Acceptable
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
500
application/json
Internal Server Error
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
503
application/json
Service Unavailable
- application/jsonobject
application/json properties
- errorsarray of objects
errors properties
- codestringRequired
The unique code for the error.
- titlestringRequired
A summary of what went wrong.
- detailstring
May be used to provide additional details.
-
-
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/actions/generate-header" \-H "Authorization: Bearer <access_token>"
Response
"string"