Configuring a Content Security Policy

If you think that your company may use a Content Security Policy (CSP), you must complete the following procedure.

Important: You or someone else in your company is responsible for configuring and maintaining your CSP. Cognos Analytics does not configure CSPs.

Procedure

  1. Determine whether your company uses a CSP.
    Tip: If there is no CSP governing the Cognos Analytics environment, Cognos Analytics can run as usual. All of its features are available.
  2. Verify that the CSP includes all mandatory CSP directives.
  3. Ensure that your CSP includes the correct directives if you plan to use any of the features that require other CSP directives.
  4. Check whether your CSP includes these two directives:
    • script-src 'unsafe-eval' ;
    • script-src 'unsafe-inline' ;
    Tip: If the two directives appear in the CSP, Cognos Analytics can run as usual. All of its features are available.
  5. If the directives script-src 'unsafe-eval' ; and script-src 'unsafe-inline' ; are not included in the CSP, do the following:

Mandatory CSP directives

If a CSP is running in your environment, it must include the following directives for Cognos Analytics to work.

  • default-src 'self' ;
  • script-src 'self' ;
  • connect-src 'self' *.mapbox.com *.ibm.com ;
  • frame-src 'self' ;
  • worker-src 'self' blob: ;
  • style-src 'self' 'unsafe-inline' ;
  • img-src 'self' data: blob: ;
  • font-src 'self' data: ;

Other CSP directives required by Cognos Analytics features

The following table lists some additional CSP directives that are required for certain features.

CSP directive Associated Cognos Analytics feature

script-src 'self' d3js.org ;

Allows custom visualizations to be added to a report.

connect-src ws://Jupyter_server_host:Jupyter_server_port

or, if Jupyter server is secured:

connect-src wss://Jupyter_server_host:Jupyter_server_port

Allows Jupyter Notebook Editor to work.

Note: The host and port must match the Jupyter service location in Cognos Analytics.

img-src https://avatars.slack-edge.com/ ; https://*.wp.com ;

Allows user profile pictures and avatars to appear when you are sharing an asset users via Slack.

script-src 'self' 'wasm-unsafe-eval';

Allows map charts to display correctly right-to-left (RTL) languages. For example, Arabic or Hebrew. Without this directive, RTL languages are displayed as left-to-right (LTR) languages. For example, English.