Viewing or updating your app's content security settings - AWS App Studio

AWS App Studio is in preview and is subject to change.

Viewing or updating your app's content security settings

Every application in App Studio has content security settings that can be used to restrict external media or resources such as images, iFrames, and PDFs from being loaded, or only permitted from specified domains or URLs (including Amazon S3 buckets). The content security settings are used to configure Content Security Policy (CSP) headers in your application. CSP is a security stanard that helps to secure your app from cross-site scripting (XSS), clickjacking, and other code injection attacks. For more information about CSP, see Content Security Policy (CSP) in the MDN Web Docs.

The default content security settings for all apps is to block all media from external sources, including Amazon S3 buckets. Therefore, in order to load images, iFrames, PDFs, or similar media, you must edit the settings to allow the sources of the media.

To update your app's content security settings

  1. If necessary, navigate to the application studio of your application by choosing to edit it from the application list.

  2. Choose App settings.

  3. Choose the Content Security Settings tab to view the following settings:

    • Frame source: Used to manage the domains from which frames and iframes, such as interactive content or PDFs, can be loaded in your app. This setting affects the following components or app resources:

      • iFrame embed component

      • PDF viewer component

    • Image source: Used to manage the domains from which images can be loaded in your app. This setting affects the following components or app resources:

      • App logo and banner

      • Image viewer component

  4. For each source, choose the desired setting from the dropdown:

    • Block all frames/images: Do not allow any media (images, frames, PDFs) to load in your app.

    • Allow all frames/images: Allow all media (images, frames, PDFs) from all domains to load in your app.

    • Allow specific domains: Allow media from specified domains to load in your app. Domains or URLs are specified as a space-separated list of expressions, where wildcards (*) can be used for subdomains, host address, or port number to indicate that all legal values of each are valid. Specifying http also matches https. The following list contains examples of valid entries:

      • blob:: Matches all blobs, which includes file data returned by automation actions, such as GetObject returning items from Amazon S3 buckets, or images generated by Amazon Bedrock.

        Important

        You must include blob: to your provided expression to allow file data returned by actions, even if your expression is *, you should update it to * blob:

      • http://*.example.com: Matches all attempts to load from any subdomain of example.com. Also matches https resources.

      • https://source1.example.com https//source2.example.com: Matches all attempts to load from both https://source1.example.com and https://source2.example.com

      • https://example.com/subdirectory/: Matches all attempts to load files under subdirectory directory. For example, https://example.com/subdirectory/path/to/file.jpeg. It does not match https://example.com/path/to/file.jpeg.

  5. Choose Save to save your changes.