CSP - what is it and how to use it?

This tutorial explains the concept of Content Security Policy (CSP) and explains various steps to modify CSP policies on your Qlik Sense SaaS tenant. You'll learn about concepts such as:

Understanding CSP

First of all, what's CSP? CSP (Content Security Policy) is a widely used security methodology in almost every modern browser. Basically, CSP disallows a webpage from accessing resources outside its own origin.

CSP1

This helps to prevent malicious code from affecting your site. CSP can be configured by adding a Content-Security-Policy header to your web pages which tells the browser what it should allow.

CSP in Qlik Sense Saas

When you are trying to create a mashup, you probably get this CSP error:

The browser throws this error because it's unable to display the iframe. The Qlik Sense Saas tenant explicitly states in its CSP header that this iframe can only be displayed by “self” which is, in this case, your Qlik Sense SaaS tenant. Unlike a single server environment, the Qlik Sense SaaS tenant and your web app server are two separate entities, meaning Qlik's CSP policy blocks the access of objects in other domains. Again, this is a security precaution.

Working with CSP

To solve this error, simply open the management console.

In the left pane, select “Content security policy”. Click “add”.

If you want to show an iframe on jsfiddle, for example, fill the “Origin” text box with “fiddle.jshell.net”, which is the output server address for jsfiddle. If you want to deploy the iframe locally, change it to "domain-address:port”. Check “frame-ancestors” under directive, and that should do the trick.

Summary

While by default Qlik's CSP policy only allows its contents to be displayed in its own tenant, by editing "content security policy" in management console, developers should be able to access Qlik's content on an external server.