Content Security Policy

Tableau Server supports the Content Security Policy (CSP) standard. CSP is intended to be an additional layer of security against cross-site scripting and other malicious web-based attacks. CSP is implemented as a HTTP response header that allows you to specify where external resources, such as scripts and images, can be safely loaded from.

See the Mozilla website(Link opens in a new window) for more information about CSP.

Configure and enable CSP

CSP is configured and enabled using the tsm configuration set Options command. If you are running Tableau Server in a distributed deployment, run these commands on the initial node in the cluster. The configuration will be applied across the cluster after you run tsm pending-changes apply.

Step 1: Set default directives

Tableau Server includes the set of default directives in the table below.

To set a directive, use the following tsm syntax:

tsm configuration set -k content_security_policy.directive.<directive_name> -v "<value>"

For example, to set the connect_src directive, run the following command:

tsm configuration set -k content_security_policy.directive.connect_src -v "* unsafe-inline"

Option Default value

Description

content_security_policy.directive.default_src ‘none’

Serves as a fallback for the other fetch directives.

Valid values for default_src(Link opens in a new window).

content_security_policy.directive.connect_src *

Restricts the URLs which can be loaded using script interfaces.

Valid values for connect_src(Link opens in a new window).

content_security_policy.directive.script_src *

Specifies valid sources for JavaScript.

Valid values for script_src(Link opens in a new window).

content_security_policy.directive.style_src * ‘unsafe-inline’

Specifies valid sources for stylesheets.

Valid values for style_src(Link opens in a new window).

content_security_policy.directive.img_src * data:

Specifies valid sources of images and favicons.

Valid values for img_src(Link opens in a new window).

content_security_policy.directive.font_src * data:

Specifies valid sources for fonts loaded using @font-face.

Valid values for font_src(Link opens in a new window).

content_security_policy.directive.frame_src * data:

Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

Valid values for frame_src(Link opens in a new window).

content_security_policy.directive.object_src data:

Specifies valid sources for the <object>, <embed>, and <applet> elements.

Valid values for object_src(Link opens in a new window).

content_security_policy.directive.report_uri /vizql/csp-report

Instructs the user agent to report attempts to violate the CSP. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Valid values for report_uri(Link opens in a new window).

Step 2: Add additional directives (optional)

The default directives included with Tableau Server are a subset of directives that are supported by CSP.

For a full list of supported CSP directives, go to https://developer.mozilla.org/en-gb/docs/Web/HTTP/Headers/Content-Security-Policy(Link opens in a new window).

You can add directives to the existing default set, by using adding the new directive in the content_security_policy.directive namespace. You must include the --force-keys parameter when adding new directives. The syntax is as follows:

tsm configuration set -k content_security_policy.directive.<new_directive_name> -v "<value>" --force-keys

For example, to add the worker-src(Link opens in a new window) directive, run the following command:

tsm configuration set -k content_security_policy.directive.worker-src -v "none" --force-keys

Step 3: Specify report-only directives (optional)

You can configure CPS to report some directives and to enforce others. When you set content_security_policy.enforce_enabled to true, then all directives are enforced (even if content_security_policy.report_only_enable is also set to true).

To specify directives as "report-only" and not enforced, add the directives to the report_only_directive namespace. You must include the --force-keys parameter when adding new directives. The syntax is as follows:

tsm configuration set -k content_security_policy.report_only_directive.<directive_name> -v "<value>" --force-keys

For example, to report only on the script_src directive, run the following command:

tsm configuration set -k content_security_policy.report_only_directive.script_src -v " http://*.example.com" --force-keys

Step 4: Enable CSP on Tableau Server

After you have configured directives, enable CSP on Tableau Server.

The following options are used to enable enforcement or report only mode for the directives you have set.

Option Default value

Description

content_security_policy.enforce_enabled false

Adds a CSP header to all requests so that any violation will be enforced by the browser.

content_security_policy.report_only_enabled true Adds a CSP header to all requests so that any violation will be recorded in our vizql-client logs, but will not be enforced by the browser.

To enable enforcement of the CSP directives that you've specified, run the following command

tsm configuration set -k content_security_policy.enforce_enabled -v true

Step 5: Run tsm pending-changes apply

When you are finished configuring CSP, run tsm pending-changes apply.

If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

View CSP report

To view CSP violations for a given viz, load the viz in a browser that includes developer tools. This example uses the Chrome browser.

  1. Load a test viz with violations that is hosted on the Tableau Server deployment where you configured CSP.

  2. Enter CTRL+Shift+I to open the developer tools in Chrome.

  3. Click the Network tab.

  4. In the Filter field, enter csp-report, and then click Find All.

    • If there are no violations then the search will not return any CSP reports.

    • If there are violations, click the Headers tab in the results pane and scroll to the bottom to view Request Payload.

Thanks for your feedback!