I have a StoredProcess web application that relies on the Bootstrap and jQuery packages for layout and scripting.
The content is created through a series of DATA STEP's and PROC STREAM-calls, writing to _webout.
I have in the <head> section references to the Bootstrap and jQuery sources on their webpages. This used to work.
Increasingly however modern browsers refuse to load them because Content-Security-Policy directives block that.
The SAS web application generates HTTP-headers specifying so.
I have tried two ways to overcome that:
But the SAS-generated HTTP-header remains in force.
Any ideas?
(Except downloading the Bootstrap and jQuery packages and installing them locally in Config\Lev1\Web\WebServer\htdocs - I would like to avoid changes there)
The option you describe (putting the web content on the web server) is in fact, the correct approach to take. Mixing HTML/CSS/JS/IMG/ICO/WOFF etc into DATA STEP and PROC STREAM is a very hacky / hard to maintain & extend way to build (non trivial) web apps.
The option you are probably looking for, would be to modify the CSP policy in the web server directly. You cannot change CSP policy from SAS code, nor from the content (or headers) of the WEBOUT destination.
More info here: https://sasjs.io/security/#content-security-policy
I agree in principle that using DATA STEP and PROC STREAM is a kind of a hack.
On my development system I have access to the sas.conf file, and to the .../htdocs folder. But the idea behind this application is that it can be imported and set up by SAS developers, and in a production system they usually do not have access to those locations. They usually are under control by quite different organisational units, sometimes not really knowing anything about SAS and SAS applications.
So that is why I am looking for ways to avoid that.
(I confess I can see that those other organisational units might consider streaming that kind of code from SAS a security risk...)
But it should be possible to download the Bootstrap and jQuery code, and stream it to _webout.
actually, there is a way you can still keep your web app contained in your SAS code, and stream everything through WEBOUT, and comply with CSP
We manage it with Data Controller - one SAS program (demostream_sas9.sas) deploys the entire app: https://git.datacontroller.io/dc/dc/releases
An overview of the technique is described here: http://sasapps.io/sas-streamed-apps
Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!
Learn how use the CAT functions in SAS to join values from multiple variables into a single value.
Find more tutorials on the SAS Users YouTube channel.
Ready to level-up your skills? Choose your own adventure.