Viewing or updating your app's content security settings
Every application in App Studio has content security settings that can be used to restrict external media or resources such as images, iFrames, and PDFs from being loaded, or
only permitted from specified domains or URLs (including Amazon S3 buckets). The content security settings are used to configure Content Security Policy (CSP) headers in your application. CSP is a security stanard that
helps to secure your app from cross-site scripting (XSS), clickjacking, and other
code injection attacks. For more information about CSP, see Content Security Policy (CSP)
The default content security settings for all apps is to block all media from external sources, including Amazon S3 buckets. Therefore, in order to load images, iFrames, PDFs, or similar media, you must edit the settings to allow the sources of the media.
To update your app's content security settings
If necessary, navigate to the application studio of your application by choosing to edit it from the application list.
Choose App settings.
Choose the Content Security Settings tab to view the following settings:
Frame source: Used to manage the domains from which frames and iframes, such as interactive content or PDFs, can be loaded in your app. This setting affects the following components or app resources:
iFrame embed component
PDF viewer component
Image source: Used to manage the domains from which images can be loaded in your app. This setting affects the following components or app resources:
App logo and banner
Image viewer component
For each source, choose the desired setting from the dropdown:
Block all frames/images: Do not allow any media (images, frames, PDFs) to load in your app.
Allow all frames/images: Allow all media (images, frames, PDFs) from all domains to load in your app.
Allow specific domains: Allow media from specified domains to load in your app. Domains or URLs are specified as a space-separated list of expressions, where wildcards (
*
) can be used for subdomains, host address, or port number to indicate that all legal values of each are valid. Specifyinghttp
also matcheshttps
. The following list contains examples of valid entries:blob:
: Matches all blobs, which includes file data returned by automation actions, such asGetObject
returning items from Amazon S3 buckets, or images generated by Amazon Bedrock.Important
You must include
blob:
to your provided expression to allow file data returned by actions, even if your expression is*
, you should update it to* blob:
http://*.example.com
: Matches all attempts to load from any subdomain ofexample.com
. Also matcheshttps
resources.https://source1.example.com https//source2.example.com
: Matches all attempts to load from bothhttps://source1.example.com
andhttps://source2.example.com
https://example.com/subdirectory/
: Matches all attempts to load files under subdirectory directory. For example,https://example.com/subdirectory/path/to/file.jpeg
. It does not matchhttps://example.com/path/to/file.jpeg
.
-
Choose Save to save your changes.