Qlik Sense Hub is not loading correctly due to Content-Security-Policy (CSP) header

When there is Content-Security-Policy (CSP) implemented and the header is injected by reverse proxy, Qlik Sense Enterprise Hub may fail to load correctly by modern Web browsers like Chrome, Edge, or Firefox. You may see an error messages like "Refuse to apply inline style because it violates the following Content-Security-Policy directive ... " from the browser's developer tools console.



Environment:
Qlik Sense: all versions

Product Defect ID(s):

• Product Defect ID(s) QB-4182

  After thorough investigation and high test effort, R&D decided not to address this report. Justification in bullets below:

 

• The conclusion from the SSO team:

  As this is a functional issue and not a security issue (...) we're not treating this as a vulnerability.

• Some of the affected locations are relying on third-party libraries which we have no control of. To address those we would have to replace them with other "compatible" libraries, which translates to very high design\implementation effort, and the risk of introducing new issues
• Requires significant changes across the entire product. Affected locations are QMC, Hub, app overview, Dev Hub, Data Load Editor, logout page, and likely more. Many teams to be involved, so if anything it should be handled as a Product Scenario rather than a bug report
• From What is CSP (Content-Security-Policy) and How does it Relate to Qlik?:

  (...) CSP is implemented by the browser, and its implementation is therefore going to vary from browser to browser. If there is an issue with CSP or a general question about CSP with a specific browser version, then this is a browser issue and not a Qlik issue.

  The only point where Qlik comes into the equation is if Qlik Sense has been configured to send custom response headers (instead of using a frontend webserver to do this, which is a better practice). (...)