Skip to main content

Managing Content Security Policy

SaaS editions of Qlik Sense utilizes Content Security Policy (CSP) Level 2, which provides an extra layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

In Qlik Sense Enterprise, CSP allows tenant admins to control resources an extension or a theme is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. If an extension or theme contain resource requests to external resources, these must have its origins allowlisted in the Content Security Policy.

Warning: Microsoft Internet Explorer 11 does not support Content Security Policy. Extensions, themes and maps that uses external resources will be blocked when using that browser due to this limitation in Microsoft Internet Explorer 11.

To manage content security policies in the Management Console, navigate to the Content Security Policy page.

For more information, see MDN Web Docs: Content Security Policy (CSP).

Content Security Policy overview

In the Content Security Policy page of the Management Console, the properties described below are shown.

Management Console properties
Property Description

Name

Name of the content security policy entry.

Origin

Domain origin to allowlist.

Directive

Directive applicable to the origin.

Last updated

Displays when the entry was last updated.

Date created

Displays when the entry was created.

Directives

The directives control locations from which certain resource types may be loaded. The following directives are supported in Qlik Sense Enterprise:

Directives
Directive Description

child-src

Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.

Note: If you wish to regulate nested browsing contexts and workers, use the frame-src and worker-src directives, respectively.

form-action

Restricts the URLs which can be used as the target of a form submissions from a given context.

media-src

Specifies valid sources for loading media using the <audio>, <video> and <track> elements.

style-src

Specifies valid sources for stylesheets.

connect-src

Restricts the URLs which can be loaded using script interfaces.

frame-src

Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
frame-ancestors Specifies valid sources for embedding the resource using <frame>, <iframe>, <object>, <embed> and <applet>.

object-src

Specifies valid sources for the <object>, <embed>, and <applet> elements.

Note: Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and are not recieving new standardized features (such as the security attributes sandbox or allow for <iframe>). Therefore it is recommended to restrict this fetch-directive (for example explicitly set object-src 'none' if possible).

worker-src

Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

font-src

Specifies valid sources for fonts loaded using @font-face.

image-src

Specifies valid sources of images and favicons.

script-src

Specifies valid sources for JavaScript.

Content Security Policy entries and header length considerations

The maximum number of Content Security Policy entries allowed per tenant is 256. If you receive an error message for exceeding the number of allowed Content Security Policy entries, you can remove redundant Content Security Policy entries and then add your new Content Security Policy entry.

The maximum length of the Content Security Policy header is 2048 characters. If you receive an error message for exceeding the Content Security Policy header length when adding a new Content Security Policy entry, you can remove redundant Content Security Policy entries and then add your new Content Security Policy entry.

The maximum number of characters allowed in the CSP header default value and the maximum number of CSP entries allowed per tenant default value are built-in and cannot be changed in Qlik Sense Enterprise SaaS.

Creating a Content Security Policy entry

Note: Maximum 256 Content Security Policy entries are allowed per tenant.

Do the following:

  1. In the Management Console, go to the Content Security Policy section and Click Add in upper the right-hand corner.
  2. In the dialog, give the Content Security Policy a name.

  3. Type the address of the origin in the following format: domain.com.

    Qlik Sense enforces HTTPS.

  4. Select the directive applicable for the origin.

    Note: You can add several directives.
  5. Click Add.
Note: Users who are using the client when a Content Security Policy is created or edited need to refresh their browser for the changes to take effect.

Editing a Content Security Policy entry

Do the following:

  1. In the Management Console, go to the Content Security Policy section and select the CSP entry you want to edit and then click Edit.
  2. In the dialog, change the CSP entry options as wanted.
  3. Click Save.
Note: Users who are using the client when a Content Security Policy is created or edited need to refresh their browser for the changes to take effect.

Deleting a Content Security Policy entry

Do the following:

  1. In the Management Console, go to the Content Security Policy section and select the CSP entry you want to remove and then click Delete.

    Note: You can remove several items at a time.
  2. Confirm that you want to delete the CSP entry.

Copying the Content Security Policy header

Note: Maximum 2048 characters are allowed in the Content Security Policy header.

Do the following:

  1. In the Management Console, go to the Content Security Policy section and click View header.
  2. In the dialog, click Copy to clipboard.
  3. Click Done.