CSP - what is it and how to use it?

This tutorial explains the concept of Content Security Policy (CSP) and shows how to modify CSP policies in your Qlik Sense SaaS tenant. You'll learn about concepts such as:

Understanding CSP

First of all, what's CSP? CSP (Content Security Policy) is a widely used security methodology in almost every modern browser. Basically, CSP disallows a webpage from accessing resources outside its own origin.

Explanation of CSP

This helps to prevent malicious code from affecting your site. CSP can be configured by adding a Content-Security-Policy header to your web pages that tells the browser what it should allow.

CSP in Qlik Sense SaaS

When you are trying to create a mashup, you probably get this CSP error:

CSP error in browser console

The browser throws this error because it's unable to display the iframe. The Qlik Sense SaaS tenant explicitly states in its CSP header that this iframe can only be displayed by “self” which, in this case, is your Qlik Sense SaaS tenant. Unlike a single server environment, the Qlik Sense SaaS tenant and your web app server are two separate entities, meaning Qlik's CSP policy blocks the access of objects in other domains. Again, this is a security precaution.

Single server environent vs. Qlik Sense SaaS tenant

Working with CSP

To solve this error, simply open the management console.

Management console with Content Security Policy menu item and Add button highlighted

In the left pane, select “Content security policy”. Click “Add”.

Content Security Policy - Add origin sidepanel

If you want to show an iframe on jsfiddle, for example, fill the “Origin” text box with “fiddle.jshell.net”, which is the output server address for jsfiddle. If you want to deploy the iframe locally, change it to "domain-address:port”. Check “frame-ancestors” under directive, and that should do the trick.

Jsfiddle with embedded charts

Summary

While by default Qlik's CSP policy only allows its contents to be displayed in its own tenant, by editing "content security policy" in the management console, developers should be able to access Qlik's content on an external server.

Was this page helpful?