I have a StoredProcess web application that relies on the Bootstrap and jQuery packages for layout and scripting.  The content is created through a series of DATA STEP's and PROC STREAM-calls, writing to _webout. I have in the <head> section references to the Bootstrap and jQuery sources on their webpages. This used to work. Increasingly however modern browsers refuse to load them because Content-Security-Policy directives block that.  The SAS web application generates HTTP-headers specifying so.  I have tried two ways to overcome that: <meta http-equiv="Content-Security-Policy" content="...." /> in the <head> section old = stpsrv_header("Content-Security-Policy" , "..." ) ;in a DATA STEP before opening _webout. But the SAS-generated HTTP-header remains in force.   Any ideas? (Except downloading the Bootstrap and jQuery packages and installing them locally in Config\Lev1\Web\WebServer\htdocs - I would like to avoid changes there) ... View more

Hi,   I am trying to establish something I always thought is possible (and I have said so 😐). But it proves to be more difficult than I thought. I have a set of Stored Processes, to be used interactively from the browser. They maintain an administration in a set of tables, to store who is doing what and when, etc. (The users are DI Studio developers, and the Stored Processes enable them to define and export metadata packages and promote them by importing in the next environments and redeploying jobs there, in a kind of DevOps way.). The administration tables are in database, and we always use libname statements with the AuthDomain option, meaning that there are no passwords in the code, but that credentials are collected from the metadata at runtime.   Stored Processes run under a service account, and when asking the metadata server for credentials the current user's identity is used. This is (I think) a fairly normal setup, and normally just what one wants.   But it means that all users have to be member of the metadata group where the outbound login for the database is stored. And that means that they can write to the the administration tables without using the Stored Processes. But I want the tables to be shielded away from these users; they may read them but changing data should be done only through the Stored Process.   I naively though it should be possible to create code that should get the credentials for the database on the basis of the account that runs the Stored Process (of maybe some other service account), but not the user's credentials. But I do not see how to get there. Except by creating a libname statement with user= and password=, but that would be against policy. And I would have to make sure in some way that the users cannot see it by getting access to the log.   Any better suggestions? ... View more