Enable CSP for an Organization

Control hostname restrictions for individual GoodData features using Content Security Policy (CSP). The logic behind CSP is similar to CORS, but the main difference is that CORS is absolutely critical from a security point of view. CORS cannot be used to loosen domain restrictions for individual features such as linking, redirecting or iframe embedding. With CSP you can optionally disable the domain restrictions for individual GoodData features, and for example, make your dashboard be embeddable under any domain.

CSP settings can be accessed and modified using the API endpoint api/v1/entities/cspDirectives.

GoodData allows these CSP directives. Please note that your combined CSP header should not exceed 3000 characters.

View CSP Directives

Get your organization CSP configuration by making the following API call:

curl -X GET -H "Authorization: Bearer <token>" $HOSTNAME/api/v1/entities/cspDirectives

If you have no CSP directives enabled, you get back the following response:

{
    "data": [],
    "links": {
        "self": "$HOSTNAME/api/v1/entities/cspDirectives?page=0&size=20",
        "next": "$HOSTNAME/api/v1/entities/cspDirectives?page=1&size=20"
    }
}

Set CSP Directives

Before you proceed, note that you need to have the organization MANAGE permission to change the CSP configuration.

Set a new CSP directive by making the following API call:

curl -X POST -H "Authorization: Bearer <token>" \
    -H "Content-type: application/vnd.gooddata.api+json" $HOSTNAME/api/v1/entities/cspDirectives \
    -d @data.json

where data.json contains the CSP directive. For example, to define a CSP directive default-src 'self' https://*.exampledomain.org;, which allows content from the exampledomain.org domain and all its subdomains, ensure data.json contains:

{
    "data": {
        "id": "script-src",
        "type": "cspDirective",
        "attributes": {
            "sources": [
                "https://*.exampledomain.org",
                "'self'"
            ]
        }
    }
}

The API response should contain the CSP directive you have just set:

{
    "data": [
        {
            "attributes": {
                "sources": [
                    "https://*.exampledomain.org",
                    "self"
                ]
            },
            "id": "script-src",
            "links": {
                "self": "$HOSTNAME/api/v1/entities/cspDirectives/script-src"
            },
            "type": "cspDirective"
        }
    ],
    "links": {
        "self": "$HOSTNAME/api/v1/entities/cspDirectives?page=0&size=20",
        "next": "$HOSTNAME/api/v1/entities/cspDirectives?page=1&size=20"
    }
}
Enable CORS