Content Security Policy
Tableau Server supports the Content Security Policy (CSP) standard. CSP is intended to be an additional layer of security against cross-site scripting and other malicious web-based attacks. CSP is implemented as a HTTP response header that allows you to specify where external resources, such as scripts and images, can be safely loaded from.
See the Mozilla website(Link opens in a new window) for more information about CSP.
Configure and enable CSP
CSP is configured and enabled using the tsm configuration set Options command. If you are running Tableau Server in a distributed deployment, run these commands on the initial node in the cluster. The configuration will be applied across the cluster after you run tsm pending-changes apply.
Step 1: Set default directives
Tableau Server includes the set of default directives in the table below.
To set a directive, use the following tsm syntax:
tsm configuration set -k content_security_policy.directive.<directive_name> -v "<value>"
For example, to set the connect_src directive, run the following command:
tsm configuration set -k content_security_policy.directive.connect_src -v "* unsafe-inline"
| Option | Default value | Description |
|---|---|---|
| content_security_policy.directive.default_src | ‘none’ | Serves as a fallback for the other fetch directives. |
| content_security_policy.directive.connect_src | * | Restricts the URLs which can be loaded using script interfaces. |
| content_security_policy.directive.script_src | * | Specifies valid sources for JavaScript. |
| content_security_policy.directive.style_src | * ‘unsafe-inline’ | Specifies valid sources for stylesheets. |
| content_security_policy.directive.img_src | * data: | Specifies valid sources of images and favicons. |
| content_security_policy.directive.font_src | * data: | Specifies valid sources for fonts loaded using @font-face. |
| content_security_policy.directive.frame_src | * data: | Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>. |
| content_security_policy.directive.object_src | data: | Specifies valid sources for the <object>, <embed>, and <applet> elements. |
| content_security_policy.directive.report_uri | /vizql/csp-report | Instructs the user agent to report attempts to violate the CSP. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. |
Step 2: Add additional directives (optional)
The default directives included with Tableau Server are a subset of directives that are supported by CSP.
For a full list of supported CSP directives, go to https://developer.mozilla.org/en-gb/docs/Web/HTTP/Headers/Content-Security-Policy(Link opens in a new window).
You can add directives to the existing default set, by using adding the new directive in the content_security_policy.directive namespace. You must include the --force-keys parameter when adding new directives. The syntax is as follows:
tsm configuration set -k content_security_policy.directive.<new_directive_name> -v "<value>" --force-keys
For example, to add the worker-src(Link opens in a new window) directive, run the following command:
tsm configuration set -k content_security_policy.directive.worker-src -v "none" --force-keys
Step 3: Specify report-only directives (optional)
You can configure CPS to report some directives and to enforce others. When you set content_security_policy.enforce_enabled to true, then all directives are enforced (even if content_security_policy.report_only_enable is also set to true).
To specify directives as "report-only" and not enforced, add the directives to the report_only_directive namespace. You must include the --force-keys parameter when adding new directives. The syntax is as follows:
tsm configuration set -k content_security_policy.report_only_directive.<directive_name> -v "<value>" --force-keys
For example, to report only on the script_src directive, run the following command:
tsm configuration set -k content_security_policy.report_only_directive.script_src -v " http://*.example.com" --force-keys
Step 4: Enable CSP on Tableau Server
After you have configured directives, enable CSP on Tableau Server.
The following options are used to enable enforcement or report only mode for the directives you have set.
| Option | Default value | Description |
|---|---|---|
| content_security_policy.enforce_enabled | false | Adds a CSP header to all requests so that any violation will be enforced by the browser. |
| content_security_policy.report_only_enabled | true | Adds a CSP header to all requests so that any violation will be recorded in our vizql-client logs, but will not be enforced by the browser. |
To enable enforcement of the CSP directives that you've specified, run the following command
tsm configuration set -k content_security_policy.enforce_enabled -v true
Step 5: Run tsm pending-changes apply
When you are finished configuring CSP, run tsm pending-changes apply.
If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
View CSP report
To view CSP violations for a given viz, load the viz in a browser that includes developer tools. This example uses the Chrome browser.
Load a test viz with violations that is hosted on the Tableau Server deployment where you configured CSP.
Enter
CTRL+Shift+Ito open the developer tools in Chrome.Click the Network tab.
In the Filter field, enter
csp-report, and then click Find All.If there are no violations then the search will not return any CSP reports.
If there are violations, click the Headers tab in the results pane and scroll to the bottom to view Request Payload.