Announcing public preview of Content Security Policy for Power Apps
We’re excited to announce the public preview of Content Security Policy for Power Apps!
Power Apps has had Content Security Policy (CSP) support for model-driven apps since the beginning of the year, which was configured by running script as a System Administrator.
With these new capabilities, you can now control the CSP header for model-driven as well as canvas apps in the environment in Power Platform Admin Center. CSP can be configured in both enforced and report-only mode.
Configuration in Power Platform Admin Center
CSP can be configured using the Content security policy settings under the Privacy + Security section of an environment in Power Platform Admin Center. Turning enforcement on will provide protection against clickjacking attacks for apps in that environment. CSP is configured independently for model-driven and canvas apps, except for reporting which applies to both.
Reporting and enforcement are disabled by default, and we recommend you turn on enforcement in your production environments only after testing your apps in a sandbox environment with CSP turned on to ensure any intended functionality isn’t blocked due to this change. We also recommend turning reporting-only mode on in production before enforcement to catch any lingering issues before enforcement is enabled.
CSP support for canvas apps
Model-driven apps have had the ability to send default and custom CSP for some time. With this update we’ll support CSP for canvas apps as well. The default and customizable pieces of the CSP header are the same for both model-driven and canvas, but they are configured independently, allowing you to perform a gradual CSP rollout.
As part of the CSP settings, you can also enable reporting and provide a custom reporting endpoint to receive any content security policy violation reports. This capability helps preview what violations would be blocked before turning it on completely. Refer to the Content Security Policy documentation for details on building reporting endpoint.
Please review the documentation for more details and as always, we would love to hear from you on how we could keep improving this feature. Please leave your feedback and comments on this post.