Managing Content Security Policy
Control and manage your Content Security Policy (CSP) in Qlik Cloud to enhance protection against attacks like Cross Site Scripting (XSS) and data injection.
Qlik Cloud uses Content Security Policy (CSP) Level 2, which provides an extra layer of security that helps to detect and mitigate certain types of attacks, including XSS and data injection. These attacks can lead to data theft, site defacement, and malware distribution.
CSP allows tenant admins to control the resources an extension or a theme can load for a given page. Policies typically involve specifying server origins and script endpoints. If an extension or theme contains resource requests to external resources, these origins must be added to the allowlist in the CSP.
For more information, see MDN Web Docs: Content Security Policy (CSP).
Directives
Directives control locations from which certain resource types may be loaded. The following directives are supported:
Directive | Description |
---|---|
child-src |
Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. Use frame-src and worker-src for more specific control. |
form-action |
Restricts the URLs that can be used as the target of submissions from a given context. |
media-src |
Specifies valid sources for loading media using the <audio>, <video>, and <track> elements. |
style-src |
Specifies valid sources for stylesheets. |
connect-src |
Restricts the URLs that can be loaded using script interfaces. |
frame-src |
Specifies valid sources for nested browsing contexts using elements such as <frame> and <iframe>. |
frame-ancestors | Specifies valid sources for embedding the resource using <frame>, <iframe>, <object>, <embed>, and <applet>. |
object-src |
Specifies valid sources for the <object>, <embed>, and <applet> elements. Elements controlled by object-src are considered legacy HTML elements and are not recieving new standardized features, such as the security attributes sandbox or allow for <iframe>. It's recommended to restrict this fetch-directive, for example, by explicitly setting object-src 'none' if possible. |
worker-src |
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. |
font-src |
Specifies valid sources for fonts loaded using @font-face. |
image-src |
Specifies valid sources of images and favicons. |
script-src |
Specifies valid sources for JavaScript. |
Qlik Cloud default CSP
Qlik Cloud has a default CSP that includes safe-listed domains. For example, you can use images from the following domains without adding them to your CSP:
-
maps.qlikcloud.com
-
ibasemaps-api.arcgis.com
-
cdn.pendo.io
-
app.pendo.io
-
pendo-static-5763789454311424.storage.googleapis.com
-
data.pendo.io
-
*.gravatar.com *.wp.com *.
-
googleusercontent.com
-
cdn.qlik-stage.com
-
cdn.qlikcloud.com
For a full list of default domains, see Allowlisting domain names and IP addresses.
CSP entries and header limits
The values for maximum number of CSP entries per tenant and maximum number of characters in the CSP header are built-in and cannot be changed.
-
Maximum entries: Up to 256 CSP entries per tenant. If you exceed this, remove redundant entries before adding new ones.
-
Header length: The CSP header can be up to 6,144 characters long. If you exceed this limit, remove redundant entries before adding new ones.
Creating a CSP entry
Do the following:
- In the Administration activity center, go to Content Security Policy.
- Click Add.
-
Provide a name.
-
Enter the origin in one of the following formats:
-
domain.com
-
*.domain.com
Information noteQlik Sense enforces HTTPS. -
-
Select the applicable directives.
- Click Add.
Users must refresh their browser for the changes to take effect.
Editing a CSP entry
Do the following:
- In the Administration activity center, go to Content Security Policy.
- Find the CSP entry you want to edit, click , and select Edit.
- Change the CSP options as needed.
- Click Save.
Users must refresh their browser for the changes to take effect.
Deleting a CSP entry
Do the following:
-
In the Administration activity center, go to Content Security Policy.
-
Select the CSP entries you want to remove and click Delete.
- Confirm the deletion.
Viewing and copying the CSP header
Do the following:
- In the Administration activity center, go to Content Security Policy.
- Click View header.
- In the dialog, click Copy to clipboard.
- Click Done.