Enhanced support for Content Security Policies

As of release 12.0.3, Cognos Analytics supports additional Content Security Policy (CSP) directives that restrict the source of resources loaded by the application. Sources such as inline javascript or eval() once commonly used in applications - including a previous generation of Cognos Analytics - are common vectors for cross-site-scripting (XSS) attacks. A CSP can reduce the surface area for such attacks in an application.

If your Cognos Analytics environment uses a CSP that excludes the unsafe directives, some of its legacy features are negatively affected. When these features are blocked, you must disable a set of features that are impacted by the blocked CSP directives. Other affected features are not disabled, but have limitations.

For more information, see the following topics:

Content Security Policies (CSP)
Configuring a Content Security Policy
Feature impacts when a CSP blocks unsafe directives
Disabling a set of features that are blocked by a CSP
Content Security Policy violations
More secure administration features