What is CSP (Content-Security-Policy)?
In the grand scheme of things, CSP helps to prevent cross-site scripting attacks by controlling what resources a browser can request from a server.
Say an user navigates to https://www.goodpage.com.
The user's browser sends a GET request to https://www.goodpage.com, and the server in-turn responds with resources such as HTML, CSS, images, etc. In a cross-site scripting attack, the browser is tricked into making requests also to an unintended page such as https://evilpage.com. Normally, browsers implement something called the Same Origin Policy; this restricts how scripts from one origin can interact with resources requested from a different origin (a same-origin meaning coming from the same protocol, domain, and port). However, this can be circumvented in various ways that are outside the scope of this article.
There is a wealth of information about this available online (such as Mozilla's developer documentation) if you wish to dig further into the specific details of how to implement various Content Security Policies.How is CSP (Content-Security-Policy) Relevant to Qlik?
Generally-speaking, it's not.
CSP is implemented by the browser, and its implementation is therefore going to vary from browser to browser. If there is an issue with CSP or a general question about CSP with a specific browser version, then this is a browser issue and not a Qlik issue.
point where Qlik comes into the equation is if Qlik Sense
has been configured to send custom response headers (instead of using a frontend web server to do this, which is a better practice). If Qlik Sense is not sending custom response headers at all, then this would be a Qlik problem. Please see How to add additional response headers in Qlik Sense
for information on how to send custom response headers in Qlik Sense. Please also see Can Qlikview Send Custom HTTP Response Headers?
for more information on sending custom headers in Qlikview.