Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
JedHuynh
New Member

How to configure Content Security Policy for Power BI Report Server

‎10-23-2024 08:25 PM

We are using Power BI Report Server version 15.0.1116.121 (September 2024) and have embedded several reports within our web application UI.

 

Issue: In our web application, we have set up the following Content Security Policy (CSP):

 

Content-Security-Policy: script-src 'self' https://www.google.com https://www.gstatic.com *.prod.ourcompany.net; object-src 'self' *.prod.ourcompany.net d1qg0coei5ayz5.cloudfront.net; worker-src blob: *.prod.ourcompany.net;
 

With this CSP configuration, the Power BI reports are no longer rendering, and the browser console displays the following errors:

  1. Refused to execute inline script because it violates the Content Security Policy directive.
  2. EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the Content Security Policy directive.

To resolve this, we would need to add 'unsafe-inline' and 'unsafe-eval' to the CSP header, but this compromises security best practices. We are seeking your assistance to configure the use of a nonce or hash for the script to address this issue securely.

 

For adding 'unsafe-inline' and 'unsafe-eval' to Content Security Policy (CSP) while maintaining security, we can use a nonce (a random token) or hash-based approach. Is it supported in Power BI report server and how to configure it?

Message 1 of 3
1,505 Views
0
2 REPLIES 2
Anonymous
Not applicable

‎10-28-2024 01:35 AM

Hi, @JedHuynh 

There is no direct documentation on how to configure nonce or hash based CSPs for Power BI Reporting Server, but you can refer to this official documentation which I hope will help you:

Content security policy - Power Platform | Microsoft Learn

 

You may also want to refer to this documentation, which has some simple examples that will hopefully help you:

Content Security Policy - OWASP Cheat Sheet Series

 

 

 

I hope my suggestions give you good ideas, if you have any more questions, please clarify in a follow-up reply.
Best Regards,
Fen Ling,
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 3
1,355 Views
JedHuynh
New Member
In response to Anonymous

‎11-04-2024 12:44 AM

Hi @Anonymous 

According to the Content security policy - Power Platform | Microsoft Learn, I should be able to find the specified settings. However, I couldn't locate these configurations within our Power BI server setup.

In my Power BI server setup, I only see two configuration pages, but neither contains the settings mentioned in the documentation you provided.

JedHuynh_1-1730709537038.png

 

 

JedHuynh_0-1730709410698.png

 

Does the document apply to Power BI Report Server? 

Message 3 of 3
1,147 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

View All