Cross-Site Security Features Coming to Power Platform

• Planned Power Platform features could limit common forms of malware attacks and reduce the chance of leaking confidential data.
• Content Security Policy settings let Power Apps take advantage of modern browser features that block cross-site scripting attacks.
• Data connectors also receive cross-tenant restrictions meant to limit the potential for data exfiltration.

Two preview features of the Power Platform tighten the security of Web-based app and internal data stores. These features, Content Security Policy (CSP) and cross-tenant connector restrictions, rely on modern browser features and Azure Active Directory (AAD) capabilities to give administrators control over where an organization’s data might be shared, blockage of some forms of malware, and better visibility into potential security issues.

Browser-Based Content Security Settings

Administrators will be able to require CSP headers for Web applications created with Power Apps. Requiring this setting will reduce both external risks and the chances that so-called citizen developers will mistakenly add malicious elements to an app. The technology could also help Power Pages pass compliance requirements for some customers.