CSP origins

CSP origins allows you to configure domains, or origins, that Qlik Sense client visualizations/extensions are allowed to communicate with.

Endpoints

Skip to section
GET/v1/csp-origins
POST/v1/csp-origins
GET/v1/csp-origins/{id}
PUT/v1/csp-origins/{id}
DELETE/v1/csp-origins/{id}
GET/v1/csp-origins/actions/generate-header

Retrieves all CSP entries for a tenant

embed

Facts GET /v1/csp-origins

Rate limit
Tier 1 (1000 requests per minute)

Query Parameters GET /v1/csp-origins

childSrc
optional
boolean

Filter resources by directive 'childSrc', true/false.

connectSrc
optional
boolean

Filter resources by directive 'connectSrc', true/false.

connectSrcWSS
optional
boolean

Filter resources by directive 'connectSrcWSS', true/false.

fontSrc
optional
boolean

Filter resources by directive 'fontSrc', true/false.

formAction
optional
boolean

Filter resources by directive 'formAction', true/false.

frameAncestors
optional
boolean

Filter resources by directive 'frameAncestors', true/false.

frameSrc
optional
boolean

Filter resources by directive 'frameSrc', true/false.

imgSrc
optional
boolean

Filter resources by directive 'imgSrc', true/false.

limit
optional, default=20, minimum=1, maximum=100
number

Maximum number of CSP-Origins to retrieve.

mediaSrc
optional
boolean

Filter resources by directive 'mediaSrc', true/false.

name
optional
string

Filter resources by name (wildcard and case insensitive).

next
optional
string

Cursor to the next page.

objectSrc
optional
boolean

Filter resources by directive 'objectSrc', true/false.

origin
optional
string

Filter resources by origin (wildcard and case insensitive).

prev
optional
string

Cursor to previous next page.

scriptSrc
optional
boolean

Filter resources by directive 'scriptSrc', true/false.

sort
optional
string

Field to sort by, prefix with -/+ to indicate order.

Enum:

name

-name

origin

-origin

createdDate

-createdDate

modifiedDate

-modifiedDate

styleSrc
optional
boolean

Filter resources by directive 'styleSrc', true/false.

workerSrc
optional
boolean

Filter resources by directive 'workerSrc', true/false.

Responses GET /v1/csp-origins

200
optional, application/json

OK Response

400
optional, application/json

Bad Request

401
optional, application/json

Unauthorized

403
optional, application/json

Forbidden

500
optional, application/json

Internal Server Error

503
optional, application/json

Service Unavailable

GET/v1/csp-origins

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/csp-origins

{
  "data": [
    {
      "id": "string",
      "name": "string",
      "imgSrc": true,
      "origin": "string",
      "fontSrc": true,
      "childSrc": true,
      "frameSrc": true,
      "mediaSrc": true,
      "styleSrc": true,
      "objectSrc": true,
      "scriptSrc": true,
      "workerSrc": true,
      "connectSrc": true,
      "formAction": true,
      "createdDate": "2023-01-26T11:56:37.887Z",
      "description": "string",
      "modifiedDate": "2023-01-26T11:56:37.887Z",
      "connectSrcWSS": true,
      "frameAncestors": true
    }
  ],
  "links": {
    "next": {
      "href": "string"
    },
    "prev": {
      "href": "string"
    },
    "self": {
      "href": "string"
    }
  }
}

Creates a new CSP entry

embed

Facts POST /v1/csp-origins

Rate limit
Tier 2 (100 requests per minute)

Request Body POST /v1/csp-origins

application/json

No description

Responses POST /v1/csp-origins

201
optional, application/json

OK Response

400
optional, application/json

Bad Request

401
optional, application/json

Unauthorized

403
optional, application/json

Forbidden

500
optional, application/json

Internal Server Error

503
optional, application/json

Service Unavailable

POST/v1/csp-origins

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"createdDate":"2023-01-26T11:56:37.888Z","description":"string","modifiedDate":"2023-01-26T11:56:37.888Z","connectSrcWSS":true,"frameAncestors":true}'

Request POST /v1/csp-origins

{
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2023-01-26T11:56:37.888Z",
  "description": "string",
  "modifiedDate": "2023-01-26T11:56:37.888Z",
  "connectSrcWSS": true,
  "frameAncestors": true
}

Response POST /v1/csp-origins

{
  "id": "string",
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2023-01-26T11:56:37.888Z",
  "description": "string",
  "modifiedDate": "2023-01-26T11:56:37.888Z",
  "connectSrcWSS": true,
  "frameAncestors": true
}

Returns details for a specific CSP entry

embed

Facts GET /v1/csp-origins/{id}

Rate limit
Tier 1 (1000 requests per minute)

Path Parameters GET /v1/csp-origins/{id}

id
string

The CSP entry's unique identifier.

Responses GET /v1/csp-origins/{id}

200
optional, application/json

OK Response

400
optional, application/json

Bad Request

401
optional, application/json

Unauthorized

403
optional, application/json

Forbidden

404
optional, application/json

Not found

500
optional, application/json

Internal Server Error

503
optional, application/json

Service Unavailable

GET/v1/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/csp-origins/{id}

{
  "id": "string",
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2023-01-26T11:56:37.888Z",
  "description": "string",
  "modifiedDate": "2023-01-26T11:56:37.888Z",
  "connectSrcWSS": true,
  "frameAncestors": true
}

Updates a CSP entry

embed

Facts PUT /v1/csp-origins/{id}

Rate limit
Tier 2 (100 requests per minute)

Path Parameters PUT /v1/csp-origins/{id}

id
string

The CSP entry's unique identifier.

Request Body PUT /v1/csp-origins/{id}

application/json

No description

Responses PUT /v1/csp-origins/{id}

200
optional, application/json

OK Response

400
optional, application/json

Bad Request

401
optional, application/json

Unauthorized

403
optional, application/json

Forbidden

404
optional, application/json

Not found

500
optional, application/json

Internal Server Error

503
optional, application/json

Service Unavailable

PUT/v1/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
 -X PUT \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"createdDate":"2023-01-26T11:56:37.888Z","description":"string","modifiedDate":"2023-01-26T11:56:37.888Z","connectSrcWSS":true,"frameAncestors":true}'

Request PUT /v1/csp-origins/{id}

{
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2023-01-26T11:56:37.888Z",
  "description": "string",
  "modifiedDate": "2023-01-26T11:56:37.888Z",
  "connectSrcWSS": true,
  "frameAncestors": true
}

Response PUT /v1/csp-origins/{id}

{
  "id": "string",
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2023-01-26T11:56:37.888Z",
  "description": "string",
  "modifiedDate": "2023-01-26T11:56:37.888Z",
  "connectSrcWSS": true,
  "frameAncestors": true
}

Deletes a specific CSP entry

embed

Facts DELETE /v1/csp-origins/{id}

Rate limit
Tier 2 (100 requests per minute)

Path Parameters DELETE /v1/csp-origins/{id}

id
string

The CSP entry's unique identifier.

Responses DELETE /v1/csp-origins/{id}

204
optional
object

No Content response.

400
optional, application/json

Bad Request

401
optional, application/json

Unauthorized

403
optional, application/json

Forbidden

404
optional, application/json

Not found

500
optional, application/json

Internal Server Error

503
optional, application/json

Service Unavailable

DELETE/v1/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

Retrieves the CSP header for a tenant

embed

Facts GET /v1/csp-origins/actions/generate-header

Rate limit
Tier 1 (1000 requests per minute)

Responses GET /v1/csp-origins/actions/generate-header

200
optional, application/json

OK Response

401
optional, application/json

Unauthorized

406
optional, application/json

Not Acceptable

500
optional, application/json

Internal Server Error

503
optional, application/json

Service Unavailable

GET/v1/csp-origins/actions/generate-header

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/actions/generate-header" \
 -H "Authorization: Bearer <API-key>"

Response GET /v1/csp-origins/actions/generate-header

{
  "Content-Security-Policy": "string"
}

CSPEntry

object

Properties

id
optional
string

The CSP entry's unique identifier.

name
optional
string

The name for this entry.

imgSrc
optional
boolean

Specifies valid sources of images and favicons.

origin
optional
string

The origin that the CSP directives should be applied to.

fontSrc
optional
boolean

Specifies valid sources for loading fonts.

childSrc
optional
boolean

Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.

frameSrc
optional
boolean

Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.

mediaSrc
optional
boolean

Specifies valid sources for loading media using the audio and video elements.

styleSrc
optional
boolean

Specifies valid sources for stylesheets.

objectSrc
optional
boolean

Specifies valid sources for the object, embed, and applet elements.

scriptSrc
optional
boolean

Specifies valid sources for JavaScript.

workerSrc
optional
boolean

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

connectSrc
optional
boolean

Restricts the URLs that can be loaded using script interfaces.

formAction
optional
boolean

Allow forms to be submitted to the origin.

createdDate
optional
string<date-time>

The UTC timestamp when the CSP entry was created.

description
optional
string

The reason for adding this origin to the Content Security Policy.

modifiedDate
optional
string<date-time>

The UTC timestamp when the CSP entry was last modified.

connectSrcWSS
optional
boolean

Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').

frameAncestors
optional
boolean

Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.

CSPEntryContent

object

Properties

name
optional
string

The name for this entry.

imgSrc
optional
boolean

Specifies valid sources of images and favicons.

origin
string

The origin that the CSP directives should be applied to.

fontSrc
optional
boolean

Specifies valid sources for loading fonts.

childSrc
optional
boolean

Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.

frameSrc
optional
boolean

Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.

mediaSrc
optional
boolean

Specifies valid sources for loading media using the audio and video elements.

styleSrc
optional
boolean

Specifies valid sources for stylesheets.

objectSrc
optional
boolean

Specifies valid sources for the object, embed, and applet elements.

scriptSrc
optional
boolean

Specifies valid sources for JavaScript.

workerSrc
optional
boolean

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

connectSrc
optional
boolean

Restricts the URLs that can be loaded using script interfaces.

formAction
optional
boolean

Allow forms to be submitted to the origin.

createdDate
optional
string<date-time>

The UTC timestamp when the CSP entry was created.

description
optional
string

The reason for adding this origin to the Content Security Policy.

modifiedDate
optional
string<date-time>

The UTC timestamp when the CSP entry was last modified.

connectSrcWSS
optional
boolean

Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').

frameAncestors
optional
boolean

Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.

CSPEntryList

object

Properties

data
optional

No description

links
optional

No description

CSPHeader

object

Properties

Content-Security-Policy
optional
string

The compiled CSP header.

Error

object

Properties

code
string

The unique code for the error.

title
string

A summary of what went wrong.

detail
optional
string

May be used to provide additional details.

ErrorResponse

object

Properties

errors
optional

No description

v0.574.0
Was this page helpful?