CSP - what is it and how to use it?
This tutorial explains the concept of Content Security Policy (CSP) and shows how to modify CSP policies in your Qlik Sense SaaS tenant. You'll learn about concepts such as:
- Understanding Content Security Policy (CSP)
- How to setup CSP policies for Qlik Sense SaaS
First of all, what's CSP? CSP (Content Security Policy) is a widely used security methodology in almost every modern browser. Basically, CSP disallows a webpage from accessing resources outside its own origin.
This helps to prevent malicious code from affecting your site. CSP can be configured by adding a Content-Security-Policy header to your web pages that tells the browser what it should allow.
When you are trying to create a mashup, you probably get this CSP error:
The browser throws this error because it's unable to display the iframe. The Qlik Sense SaaS tenant explicitly states in its CSP header that this iframe can only be displayed by “self” which, in this case, is your Qlik Sense SaaS tenant. Unlike a single server environment, the Qlik Sense SaaS tenant and your web app server are two separate entities, meaning Qlik's CSP policy blocks the access of objects in other domains. Again, this is a security precaution.
To solve this error, simply open the management console.
In the left pane, select “Content security policy”. Click “Add”.
If you want to show an iframe on jsfiddle, for example, fill the “Origin” text box with “fiddle.jshell.net”, which is the output server address for jsfiddle. If you want to deploy the iframe locally, change it to "domain-address:port”. Check “frame-ancestors” under directive, and that should do the trick.
While by default Qlik's CSP policy only allows its contents to be displayed in its own tenant, by editing "content security policy" in the management console, developers should be able to access Qlik's content on an external server.