Content Security Policy

Tableau Server supports the Content Security Policy (CSP) standard. CSP is intended to be an additional layer of security against cross-site scripting and other malicious web-based attacks. CSP is implemented as a HTTP response header that allows you to specify where external resources, such as scripts and images, can be safely loaded from.

See the Mozilla website for more information about CSP.

Note: If your Tableau Server is configured to use SAML for user authentication, then do not enable CSP. Running CSP on Tableau Server with SAML is not supported.

Configure and enable CSP

CSP is configured and enabled using the tsm configuration set Options command. If you are running Tableau Server in a distributed deployment, run these commands on the initial node in the cluster. The configuration will be applied across the cluster after you run tsm pending-changes apply.

Step 1: Set default directives

Tableau Server includes the set of default directives in the table below.

To set a directive, use the following tsm syntax:

tsm configuration set -k content_security_policy.directive.<directive_name> -v "<value>"

For example, to set the connect_src directive, run the following command:

tsm configuration set -k content_security_policy.directive.connect_src -v "* unsafe-inline"

Option Default value

Description

content_security_policy.directive.default_src ‘none’

Serves as a fallback for the other fetch directives.

Valid values for default_src.

content_security_policy.directive.connect_src *

Restricts the URLs which can be loaded using script interfaces.

Valid values for connect_src.

content_security_policy.directive.script_src *

Specifies valid sources for JavaScript.

Valid values for script_src.

content_security_policy.directive.style_src * ‘unsafe-inline’

Specifies valid sources for stylesheets.

Valid values for style_src.

content_security_policy.directive.img_src * data:

Specifies valid sources of images and favicons.

Valid values for img_src.

content_security_policy.directive.font_src * data:

Specifies valid sources for fonts loaded using @font-face.

Valid values for font_src.

content_security_policy.directive.frame_src * data:

Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

Valid values for frame_src.

content_security_policy.directive.object_src data:

Specifies valid sources for the <object>, <embed>, and <applet> elements.

Valid values for object_src.

content_security_policy.directive.report_uri /vizql/csp-report

Instructs the user agent to report attempts to violate the CSP. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Valid values for report_uri.

Step 2: Add additional directives (optional)

The default directives included with Tableau Server are a subset of directives that are supported by CSP.

For a full list of supported CSP directives, go to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.

You can add directives to the existing default set, by using adding the new directive in the content_security_policy.directive namespace. You must include the --force-keys parameter when adding new directives. The syntax is as follows:

tsm configuration set -k content_security_policy.directive.<new_directive_name> -v "<value>" --force-keys

For example, to add the worker-src directive, run the following command:

tsm configuration set -k content_security_policy.directive.worker-src -v "none" --force-keys

Step 3: Specify report-only directives (optional)

You can configure CPS to report some directives and to enforce others. When you set content_security_policy.enforce_enabled to true, then all directives are enforced (even if content_security_policy.report_only_enable is also set to true).

To specify directives as "report-only" and not enforced, add the directives to the report_only_directive namespace. You must include the --force-keys parameter when adding new directives. The syntax is as follows:

tsm configuration set -k content_security_policy.report_only_directive.<directive_name> -v "<value>" --force-keys

For example, to report only on the script_src directive, run the following command:

tsm configuration set -k content_security_policy.report_only_directive.script_src -v " http://*.example.com" --force-keys

Step 4: Enable CSP on Tableau Server

After you have configured directives, enable CSP on Tableau Server.

The following options are used to enable enforcement or report only mode for the directives you have set.

Option Default value

Description

content_security_policy.enforce_enabled false

Adds a CSP header to all requests so that any violation will be enforced by the browser.

content_security_policy.report_only_enabled true Adds a CSP header to all requests so that any violation will be recorded in our vizql-client logs, but will not be enforced by the browser.

To enable enforcement of the CSP directives that you've specified, run the following command

tsm configuration set -k content_security_policy.enforce_enabled -v true

Step 5: Run tsm pending-changes apply

When you are finished configuring CSP, run tsm pending-changes apply.

The pending-changes apply command displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. For more information, see tsm pending-changes apply.

View CSP report

To view CSP violations for a given viz, load the viz in a browser that includes developer tools. This example uses the Chrome browser.

  1. Load a test viz with violations that is hosted on the Tableau Server deployment where you configured CSP.

  2. Enter CTRL+Shift+I to open the developer tools in Chrome.

  3. Click the Network tab.

  4. In the Filter field, enter csp-report, and then click Find All.

    • If there are no violations then the search will not return any CSP reports.

    • If there are violations, click the Headers tab in the results pane and scroll to the bottom to view Request Payload.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.