BookmarkSubscribeRSS Feed
FrankPoppe
Quartz | Level 8

I have a StoredProcess web application that relies on the Bootstrap and jQuery packages for layout and scripting. 
The content is created through a series of DATA STEP's and PROC STREAM-calls, writing to _webout.
I have in the <head> section references to the Bootstrap and jQuery sources on their webpages. This used to work.
Increasingly however modern browsers refuse to load them because Content-Security-Policy directives block that. 
The SAS web application generates HTTP-headers specifying so. 

I have tried two ways to overcome that:

  • <meta http-equiv="Content-Security-Policy" content="...." /> in the <head> section
  • old = stpsrv_header("Content-Security-Policy" , "..." ) ;in a DATA STEP before opening _webout.

But the SAS-generated HTTP-header remains in force.

 

Any ideas?
(Except downloading the Bootstrap and jQuery packages and installing them locally in Config\Lev1\Web\WebServer\htdocs - I would like to avoid changes there)

3 REPLIES 3
AllanBowe
Barite | Level 11

The option you describe (putting the web content on the web server) is in fact, the correct approach to take.  Mixing HTML/CSS/JS/IMG/ICO/WOFF etc into DATA STEP and PROC STREAM is a very hacky / hard to maintain & extend way to build (non trivial) web apps.

 

The option you are probably looking for, would be to modify the CSP policy in the web server directly.  You cannot change CSP policy from SAS code, nor from the content (or headers) of the WEBOUT destination.

 

More info here:  https://sasjs.io/security/#content-security-policy

/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)

Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs
FrankPoppe
Quartz | Level 8

I agree in principle that using DATA STEP and PROC STREAM is a kind of a hack.
On my development system I have access to the sas.conf file, and to the .../htdocs folder. But the idea behind this application is that it can be imported and set up by SAS developers, and in a production system they usually do not have access to those locations. They usually are under control by quite different organisational units, sometimes not really knowing anything about SAS and SAS applications.
So that is why I am looking for ways to avoid that.

(I confess I can see that those other organisational units might consider streaming that kind of code from SAS a security risk...)
But it should be possible to download the Bootstrap and jQuery code, and stream it to _webout.

AllanBowe
Barite | Level 11

actually, there is a way you can still keep your web app contained in your SAS code, and stream everything through WEBOUT, and comply with CSP

 

We manage it with Data Controller - one SAS program (demostream_sas9.sas) deploys the entire app:  https://git.datacontroller.io/dc/dc/releases

 

An overview of the technique is described here: http://sasapps.io/sas-streamed-apps

/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)

Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs

SAS INNOVATE 2024

Innovate_SAS_Blue.png

Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.

If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website. 

Register now!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Find more tutorials on the SAS Users YouTube channel.

Get the $99 certification deal.jpg

 

 

Back in the Classroom!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 3 replies
  • 348 views
  • 0 likes
  • 2 in conversation