Managing Content Security Policy
Qlik Cloud uses Content Security Policy (CSP) Level 2, which provides an extra layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
In Qlik Cloud, CSP allows tenant admins to control resources an extension or a theme is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. If an extension or theme contain resource requests to external resources, these must have its origins added to the allowlist in the Content Security Policy.
To manage content security policies in the Management Console, navigate to the Content Security Policy page.
For more information, see MDN Web Docs: Content Security Policy (CSP).
Content Security Policy overview
In the Content Security Policy page of the Management Console, the properties described below are shown.
| Property | Description |
|---|---|
|
Name |
Name of the content security policy entry. |
|
Origin |
Domain origin to add to the allowlist. |
|
Directive |
Directive applicable to the origin. |
|
Last updated |
When the entry was last updated. |
|
Date created |
When the entry was created. |
Directives
The directives control locations from which certain resource types may be loaded. The directives described below are supported in Qlik Sense Enterprise.
| Directive | Description |
|---|---|
|
child-src |
Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. If you want to regulate nested browsing contexts and workers, use the frame-src and worker-src directives, respectively. |
|
form-action |
Restricts the URLs which can be used as the targetof a form submissions from a given context. |
|
media-src |
Specifies valid sources for loading media using the <audio>, <video> and <track> elements. |
|
style-src |
Specifies valid sources for stylesheets. |
|
connect-src |
Restricts the URLs which can be loaded using script interfaces. |
|
frame-src |
Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>. |
| frame-ancestors | Specifies valid sources for embedding the resource using <frame>, <iframe>, <object>, <embed> and <applet>. |
|
object-src |
Specifies valid sources for the <object>, <embed>, and <applet> elements. Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and are not recieving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (for example explicitly set object-src 'none' if possible). |
|
worker-src |
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. |
|
font-src |
Specifies valid sources for fonts loaded using @font-face. |
|
image-src |
Specifies valid sources of images and favicons. |
|
script-src |
Specifies valid sources for JavaScript. |
Qlik Cloud default Content Security Policy
Qlik Cloud has a default CSP for all users which includes domains that are safe-listed. For example, you can use images from the following domains without needing to add them to your own content security policy. Images taken from other sources must have their domains added to the content security policy.
Default sources for images and favicons in Qlik Cloud:
-
maps.qlikcloud.com
-
ibasemaps-api.arcgis.com
-
cdn.pendo.io
-
app.pendo.io
-
pendo-static-5763789454311424.storage.googleapis.com
-
data.pendo.io
-
*.gravatar.com *.wp.com *.
-
googleusercontent.com
-
cdn.qlik-stage.com
-
cdn.qlikcloud.com
For a list of other default domains available for all Qlik Cloud users, see Allowlisting domain names and IP addresses.
Content Security Policy entries and header length considerations
The maximum number of Content Security Policy entries allowed per tenant is 256. If you receive an error message for exceeding the number of allowed Content Security Policy entries, you can remove redundant Content Security Policy entries and then add your new Content Security Policy entry.
The maximum length of the Content Security Policy header is 3,072 characters. If you receive an error message for exceeding the Content Security Policy header length when adding a new Content Security Policy entry, you can remove redundant Content Security Policy entries and then add your new Content Security Policy entry.
The maximum number of characters allowed in the CSP header default value and the maximum number of CSP entries allowed per tenant default value are built-in and cannot be changed in Qlik Cloud.
Creating a Content Security Policy entry
Do the following:
- In the Management Console, go to the Content Security Policy section and Click Add in upper the right-hand corner.
-
In the dialog, give the Content Security Policy a name.
-
Type the address of the origin in one of the following formats:
-
domain.com
-
*.domain.com
Qlik Sense enforces HTTPS.
-
-
Select the directive applicable for the origin.
Information noteYou can add several directives. - Click Add.
Editing a Content Security Policy entry
Do the following:
- In the Management Console, go to the Content Security Policy section.
- Find the CSP entry you want to edit, click
, and select Edit. - In the dialog, change the CSP entry options as wanted.
- Click Save.
Deleting a Content Security Policy entry
Do the following:
-
In the Management Console, go to the Content Security Policy section and select the CSP entry you want to remove and then click Delete.
Information noteYou can remove several items at a time. - Confirm that you want to delete the CSP entry.
Copying the Content Security Policy header
Do the following:
- In the Management Console, go to the Content Security Policy section and click View header.
- In the dialog, click Copy to clipboard.
- Click Done.