Violation in Content Security Policy when making a request to a alternative app backend #6703

ttschuemp · 2024-01-13T14:04:28Z

ttschuemp
Jan 13, 2024

I'm currently exploring the implementation of a new feature for the Redash app using an alternative backend. While attempting to make a request from the Redash frontend, I encountered the following error:

Refused to connect to 'https://app-backend.lbe3454tvs.azurewebsites.net/test' because it violates the document's Content Security Policy.

Interestingly, testing this API with Postman yielded successful results, and connecting to it from any other frontend also worked seamlessly. Hence, I suspect there might be a specific handling of Content Security Policy (CSP) within the Redash app that is causing this issue. Could you provide insights into how CSP is managed in the Redash app?

Answered by gaecoli

Jan 17, 2024

This default config is "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-ancestors 'none'; frame-src redash.io;",

View full answer

gaecoli · 2024-01-17T02:14:58Z

gaecoli
Jan 17, 2024
Maintainer

CONTENT_SECURITY_POLICY = os.environ.get(
"REDASH_CONTENT_SECURITY_POLICY",
"default-src 'self' ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' ; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-ancestors 'none'; frame-src redash.io;",
)

0 replies

gaecoli · 2024-01-17T02:16:29Z

gaecoli
Jan 17, 2024
Maintainer

I'm currently exploring the implementation of a new feature for the Redash app using an alternative backend. While attempting to make a request from the Redash frontend, I encountered the following error:

Refused to connect to 'https://app-backend.lbe3454tvs.azurewebsites.net/test' because it violates the document's Content Security Policy.

Interestingly, testing this API with Postman yielded successful results, and connecting to it from any other frontend also worked seamlessly. Hence, I suspect there might be a specific handling of Content Security Policy (CSP) within the Redash app that is causing this issue. Could you provide insights into how CSP is managed in the Redash app?

redash/redash/settings/__init__.py

Line 114 in cd03da3

CONTENT_SECURITY_POLICY = os.environ.get(

You have to set you request url in REDASH_CONTENT_SECURITY_POLICY

1 reply

gaecoli Jan 17, 2024
Maintainer

This default config is "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-ancestors 'none'; frame-src redash.io;",

Answer selected by ttschuemp

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Violation in Content Security Policy when making a request to a alternative app backend #6703

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Violation in Content Security Policy when making a request to a alternative app backend #6703

ttschuemp Jan 13, 2024

Replies: 2 comments · 1 reply

gaecoli Jan 17, 2024 Maintainer

gaecoli Jan 17, 2024 Maintainer

gaecoli Jan 17, 2024 Maintainer

ttschuemp
Jan 13, 2024

Replies: 2 comments 1 reply

gaecoli
Jan 17, 2024
Maintainer

gaecoli
Jan 17, 2024
Maintainer

gaecoli Jan 17, 2024
Maintainer