CSP origins

CSP origins allows you to configure domains, or origins, that Qlik Sense client visualizations/extensions are allowed to communicate with.

Endpoints

Skip to section
GET/csp-origins
POST/csp-origins
GET/csp-origins/{id}
PUT/csp-origins/{id}
DELETE/csp-origins/{id}
GET/csp-origins/actions/generate-header

Retrieves all CSP entries for a tenant

Query Parameters GET /csp-origins

sort
string

Field to sort by, prefix with -/+ to indicate order

Enum:

name

-name

origin

-origin

createdDate

-createdDate

modifiedDate

-modifiedDate

limit
default=20, minimum=1, maximum=100
number

Maximum number of CSP-Origins to retrieve

next
string

Cursor to the next page

prev
string

Cursor to previous next page

name
string

Filter resources by name (wildcard and case insensitive)

origin
string

Filter resources by origin (wildcard and case insensitive)

childSrc
boolean

Filter resources by directive 'childSrc' true/false

connectSrc
boolean

Filter resources by directive 'connectSrc' true/false

connectSrcWSS
boolean

Filter resources by directive 'connectSrcWSS ' true/false

fontSrc
boolean

Filter resources by directive 'fontSrc' true/false

formAction
boolean

Filter resources by directive 'formAction' true/false

frameAncestors
boolean

Filter resources by directive 'frameAncestors' true/false

frameSrc
boolean

Filter resources by directive 'frameSrc' true/false

imgSrc
boolean

Filter resources by directive 'imgSrc' true/false

mediaSrc
boolean

Filter resources by directive 'mediaSrc' true/false

objectSrc
boolean

Filter resources by directive 'objectSrc' true/false

scriptSrc
boolean

Filter resources by directive 'scriptSrc' true/false

styleSrc
boolean

Filter resources by directive 'styleSrc' true/false

workerSrc
boolean

Filter resources by directive 'workerSrc' true/false

Responses GET /csp-origins

200
application/json

OK Response

400
application/json

Bad Request

401
application/json

Unauthorized

403
application/json

Forbidden

500
application/json

Internal Server Error

503
application/json

Service Unavailable

GET/csp-origins

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
 -H "Authorization: Bearer <API-key>"

Response GET /csp-origins

{
  "data": [
    {
      "id": "string",
      "origin": "string",
      "name": "string",
      "description": "string",
      "childSrc": true,
      "connectSrc": true,
      "connectSrcWSS": true,
      "fontSrc": true,
      "formAction": true,
      "frameAncestors": true,
      "frameSrc": true,
      "imgSrc": true,
      "mediaSrc": true,
      "objectSrc": true,
      "scriptSrc": true,
      "styleSrc": true,
      "workerSrc": true,
      "createdDate": "2021-06-18T08:27:33.814Z",
      "modifiedDate": "2021-06-18T08:27:33.814Z"
    }
  ],
  "links": {
    "next": {
      "href": "string"
    },
    "self": {
      "href": "string"
    },
    "prev": {
      "href": "string"
    }
  }
}

Creates a new CSP entry

Request Body POST /csp-origins

application/json

No description

Responses POST /csp-origins

201
application/json

OK Response

400
application/json

Bad Request

401
application/json

Unauthorized

403
application/json

Forbidden

500
application/json

Internal Server Error

503
application/json

Service Unavailable

POST/csp-origins

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
 -X POST \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"origin":"string","name":"string","description":"string","childSrc":true,"connectSrc":true,"connectSrcWSS":true,"fontSrc":true,"formAction":true,"frameAncestors":true,"frameSrc":true,"imgSrc":true,"mediaSrc":true,"objectSrc":true,"scriptSrc":true,"styleSrc":true,"workerSrc":true,"createdDate":"2021-06-18T08:27:33.814Z","modifiedDate":"2021-06-18T08:27:33.814Z"}'

Request POST /csp-origins

{
  "origin": "string",
  "name": "string",
  "description": "string",
  "childSrc": true,
  "connectSrc": true,
  "connectSrcWSS": true,
  "fontSrc": true,
  "formAction": true,
  "frameAncestors": true,
  "frameSrc": true,
  "imgSrc": true,
  "mediaSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "styleSrc": true,
  "workerSrc": true,
  "createdDate": "2021-06-18T08:27:33.814Z",
  "modifiedDate": "2021-06-18T08:27:33.814Z"
}

Response POST /csp-origins

{
  "id": "string",
  "origin": "string",
  "name": "string",
  "description": "string",
  "childSrc": true,
  "connectSrc": true,
  "connectSrcWSS": true,
  "fontSrc": true,
  "formAction": true,
  "frameAncestors": true,
  "frameSrc": true,
  "imgSrc": true,
  "mediaSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "styleSrc": true,
  "workerSrc": true,
  "createdDate": "2021-06-18T08:27:33.814Z",
  "modifiedDate": "2021-06-18T08:27:33.814Z"
}

Returns details for a specific CSP entry

Path Parameters GET /csp-origins/{id}

id
string

The CSP entry's unique identifier.

Responses GET /csp-origins/{id}

200
application/json

OK Response

400
application/json

Bad Request

401
application/json

Unauthorized

403
application/json

Forbidden

404
application/json

Not found

500
application/json

Internal Server Error

503
application/json

Service Unavailable

GET/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
 -H "Authorization: Bearer <API-key>"

Response GET /csp-origins/{id}

{
  "id": "string",
  "origin": "string",
  "name": "string",
  "description": "string",
  "childSrc": true,
  "connectSrc": true,
  "connectSrcWSS": true,
  "fontSrc": true,
  "formAction": true,
  "frameAncestors": true,
  "frameSrc": true,
  "imgSrc": true,
  "mediaSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "styleSrc": true,
  "workerSrc": true,
  "createdDate": "2021-06-18T08:27:33.814Z",
  "modifiedDate": "2021-06-18T08:27:33.814Z"
}

Updates a CSP entry

Path Parameters PUT /csp-origins/{id}

id
string

The CSP entry's unique identifier.

Request Body PUT /csp-origins/{id}

application/json

No description

Responses PUT /csp-origins/{id}

200
application/json

OK Response

400
application/json

Bad Request

401
application/json

Unauthorized

403
application/json

Forbidden

404
application/json

Not found

500
application/json

Internal Server Error

503
application/json

Service Unavailable

PUT/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
 -X PUT \
 -H "Authorization: Bearer <API-key>" \
 -H "Content-type: application/json" \
 -d '{"origin":"string","name":"string","description":"string","childSrc":true,"connectSrc":true,"connectSrcWSS":true,"fontSrc":true,"formAction":true,"frameAncestors":true,"frameSrc":true,"imgSrc":true,"mediaSrc":true,"objectSrc":true,"scriptSrc":true,"styleSrc":true,"workerSrc":true,"createdDate":"2021-06-18T08:27:33.814Z","modifiedDate":"2021-06-18T08:27:33.814Z"}'

Request PUT /csp-origins/{id}

{
  "origin": "string",
  "name": "string",
  "description": "string",
  "childSrc": true,
  "connectSrc": true,
  "connectSrcWSS": true,
  "fontSrc": true,
  "formAction": true,
  "frameAncestors": true,
  "frameSrc": true,
  "imgSrc": true,
  "mediaSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "styleSrc": true,
  "workerSrc": true,
  "createdDate": "2021-06-18T08:27:33.814Z",
  "modifiedDate": "2021-06-18T08:27:33.814Z"
}

Response PUT /csp-origins/{id}

{
  "id": "string",
  "origin": "string",
  "name": "string",
  "description": "string",
  "childSrc": true,
  "connectSrc": true,
  "connectSrcWSS": true,
  "fontSrc": true,
  "formAction": true,
  "frameAncestors": true,
  "frameSrc": true,
  "imgSrc": true,
  "mediaSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "styleSrc": true,
  "workerSrc": true,
  "createdDate": "2021-06-18T08:27:33.814Z",
  "modifiedDate": "2021-06-18T08:27:33.814Z"
}

Deletes a specific CSP entry

Path Parameters DELETE /csp-origins/{id}

id
string

The CSP entry's unique identifier.

Responses DELETE /csp-origins/{id}

204
object

No Content response.

400
application/json

Bad Request

401
application/json

Unauthorized

403
application/json

Forbidden

404
application/json

Not found

500
application/json

Internal Server Error

503
application/json

Service Unavailable

DELETE/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
 -X DELETE \
 -H "Authorization: Bearer <API-key>"

Retrieves the CSP header for a tenant

Responses GET /csp-origins/actions/generate-header

200
text/plain
string

OK Response

401
application/json

Unauthorized

406
application/json

Not Acceptable

500
application/json

Internal Server Error

503
application/json

Service Unavailable

GET/csp-origins/actions/generate-header

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/actions/generate-header" \
 -H "Authorization: Bearer <API-key>"

ErrorResponse

object

Properties

errors

No description

Error

object

Properties

code
string

The unique code for the error

title
string

A summary of what went wrong

detail
optional
string

May be used to provide additional details

CSPHeader

object

Properties

Content-Security-Policy
string

The compiled CSP header

CSPEntryList

object

Properties

data

No description

links

No description

CSPEntry

object

Properties

id
string

The CSP entry's unique identifier

origin
string

The origin that the CSP directives should be applied to

name
string

The name for this entry

description
string

The reason for adding this origin to the Content Security Policy

childSrc
boolean

Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iframe

connectSrc
boolean

Restricts the URLs that can be loaded using script interfaces

connectSrcWSS
boolean

Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://')

fontSrc
boolean

Specifies valid sources for loading fonts

formAction
boolean

Allow forms to be submitted to the origin

frameAncestors
boolean

Specifies valid sources for embedding the resource using frame, iframe, object, embed and applet

frameSrc
boolean

Specifies valid sources for loading nested browsing contexts using elements such as frame and iframe

imgSrc
boolean

Specifies valid sources of images and favicons

mediaSrc
boolean

Specifies valid sources for loading media using the audio and video elements

objectSrc
boolean

Specifies valid sources for the object, embed, and applet elements

scriptSrc
boolean

Specifies valid sources for JavaScript

styleSrc
boolean

Specifies valid sources for stylesheets

workerSrc
boolean

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts

createdDate
string<date-time>

The UTC timestamp when the CSP entry was created

modifiedDate
string<date-time>

The UTC timestamp when the CSP entry was last modified

CSPEntryContent

object

Properties

origin
string

The origin that the CSP directives should be applied to

name
optional
string

The name for this entry

description
optional
string

The reason for adding this origin to the Content Security Policy

childSrc
optional
boolean

Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iframe

connectSrc
optional
boolean

Restricts the URLs that can be loaded using script interfaces

connectSrcWSS
optional
boolean

Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://')

fontSrc
optional
boolean

Specifies valid sources for loading fonts

formAction
optional
boolean

Allow forms to be submitted to the origin

frameAncestors
optional
boolean

Specifies valid sources for embedding the resource using frame, iframe, object, embed and applet

frameSrc
optional
boolean

Specifies valid sources for loading nested browsing contexts using elements such as frame and iframe

imgSrc
optional
boolean

Specifies valid sources of images and favicons

mediaSrc
optional
boolean

Specifies valid sources for loading media using the audio and video elements

objectSrc
optional
boolean

Specifies valid sources for the object, embed, and applet elements

scriptSrc
optional
boolean

Specifies valid sources for JavaScript

styleSrc
optional
boolean

Specifies valid sources for stylesheets

workerSrc
optional
boolean

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts

createdDate
optional
string<date-time>

The UTC timestamp when the CSP entry was created

modifiedDate
optional
string<date-time>

The UTC timestamp when the CSP entry was last modified

v1.7.1
Was this page helpful?