Content Security Policy in Cockpit plugin development

Twitter   Facebook   meneame   reddit   QR   Telegram   Whatsapp

When I was migrating Fleet Commander to a cockpit plugin, I had to face a problem with the spice-html5 client we were using to connect to the virtual machines, and It was that the browser was denying some request to Cockpit because of that operations were not specificly allowed.

Some reading and debugging led me to this information about Content Security Policy:

CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website

So, cockpit is specifying that the contents I was trying to load in spice-html5 were not safe, and I found that cockpit plugins have an attribute in the manifest file that can be specified for setting that content security policy:

    "version": 0,

    "tools": {
        "fleet-commander": {
            "label": "Fleet Commander",
            "path": "index.html"

    "content-security-policy": "default-src 'self'; media-src 'self' blob:; img-src 'self' data:;"

And that fixed the problem. There are lots of ways and options for specifying different policies, so here are some examples of this setting in several plugins at cockpit repository, and if that is not sufficent for your special case, you can always go to the spec.