Viewing or updating your app's content security settings - AWS App Studio

Viewing or updating your app's content security settings

Every application in App Studio has content security settings that can be used to restrict external media or resources such as images, iFrames, and PDFs from being loaded, or only permitted from specified domains or URLs (including Amazon S3 buckets). You can also specify the domains that your app can upload objects to Amazon S3 to.

The default content security settings for all apps is to block loading all media from external sources, including Amazon S3 buckets, and block uploading objects to Amazon S3. Therefore, in order to load images, iFrames, PDFs, or similar media, you must edit the settings to allow the sources of the media. Also, to allow uploading objects to Amazon S3, you must edit the settings to allow the domains that can be uploaded to.

Note

The content security settings are used to configure Content Security Policy (CSP) headers in your application. CSP is a security standard that helps to secure your app from cross-site scripting (XSS), clickjacking, and other code injection attacks. For more information about CSP, see Content Security Policy (CSP) in the MDN Web Docs.

To update your app's content security settings

  1. If necessary, navigate to the application studio of your application by choosing to edit it from the application list.

  2. Choose App settings.

  3. Choose the Content Security Settings tab to view the following settings:

    • Frame source: Used to manage the domains that your app can load frames and iframes (such as interactive content or PDFs) from. This setting affects the following components or app resources:

      • iFrame embed component

      • PDF viewer component

    • Image source: Used to manage the domains that your app can load images from. This setting affects the following components or app resources:

      • App logo and banner

      • Image viewer component

    • Connect source: Used to manage the domains that your app can upload Amazon S3 objects to.

  4. For each setting, choose the desired setting from the dropdown:

    • Block all frames/images/connections: Do not allow any media (images, frames, PDFs) to load, or any objects to be uploaded to Amazon S3.

    • Allow all frames/images/connections: Allow all media (images, frames, PDFs) from all domains to load, or allow uploading of objects to Amazon S3 for all domains.

    • Allow specific domains: Allow loading media from or uploading media to specified domains. Domains or URLs are specified as a space-separated list of expressions, where wildcards (*) can be used for subdomains, host address, or port number to indicate that all legal values of each are valid. Specifying http also matches https. The following list contains examples of valid entries:

      • blob:: Matches all blobs, which includes file data returned by automation actions, such as GetObject returning items from Amazon S3 buckets, or images generated by Amazon Bedrock.

        Important

        You must include blob: to your provided expression to allow file data returned by actions, even if your expression is *, you should update it to * blob:

      • http://*.example.com: Matches all attempts to load from any subdomain of example.com. Also matches https resources.

      • https://source1.example.com https//source2.example.com: Matches all attempts to load from both https://source1.example.com and https://source2.example.com

      • https://example.com/subdirectory/: Matches all attempts to load files under subdirectory directory. For example, https://example.com/subdirectory/path/to/file.jpeg. It does not match https://example.com/path/to/file.jpeg.

  5. Choose Save to save your changes.