Our team has developed a new visualisation extension that does the following:
Creates an iframe element, and appends it to the plugin $element
Resolves the path to the index.html included in our plugin folder, and sets this path as the src for the iframe
Loads our app into the iframe
This approach to loading our extension works well in QlikSense desktop and hosted Server, however it does not work on QlikCloud.
On QlikCloud, when loading the plugin html file, we are are unable to load any additional assets defined in the html file's <script> or <link> tags due to those assets being blocked by content security policy.
In response to this, we have attempted to add rules to allow loading of these assets via the Content security policy editor in our management console - unfortunately this has not been successful.
For some reason even though the content of the CSP header looks correct and should work, we find these assets to still be blocked when loaded directly from the iframed html file.
Is there something that we overlooked in the CSP editor that would allow us to load this html file and it's assets?
Here are some additional things we have tried to unsuccessfully work around this issue:
Add nonse tag to script/style tag and CSP header. Unfortunately this CSP rule seemed to be ignored for iframed html.
Adding sha256 hash to CSP header - when attempting to add this to the 'origin' field of the CSP rule, we receive the error 'Origin contains invalid characters'.
Using 'unsafe-inline' rule, and putting the contents of our assets in <script>/<style> tags. We noticed that 'unsafe-inline' is already present in the header by default and this should work for us, but again the iframed index.html seems to ignore this CSP rule.
