Content Security Policy directive blocks with Zscaler accessing Graph Explorer

[WilliamDO89]

Describe the bug
When using the Microsoft graph explorer to run API calls, the calls are running in the background fine, however, the visual display of Request Body and Response preview do not show anything and just show as loading. Looking into DevTools, the following error is flagging

InstrumentHooks.js:90 Connecting to 'https://eastus-8.in.applicationinsights.azure.com/v2/track' violates the following Content Security Policy directive: "connect-src https://dc.services.visualstudio.com https://browser.events.data.microsoft.com https://web.vortex.data.microsoft.com *.clarity.ms https://browser.pipe.aria.microsoft.com https://res.public.onecdn.static.microsoft https://res.df.onecdn.static.microsoft https://cdn.graph.office.net https://consentreceiverfd-prod.azurefd.net https://login.microsoftonline.com https://login.live.com https://www.microsoft.com https://statics.teams.microsoft.com https://controls.account.microsoft.com:44308 https://amcdn.msftauth.net http://amcdn.msauth.net/ https://mem.gfx.ms https://developer.microsoft.com https://graphprodblobstorage-secondary.blob.core.windows.net https://cdn.graph.office.net https://graphexplorerapi.azurewebsites.net https://login.microsoftonline.com https://graph.office.net https://graph.microsoft.com https://browser.pipe.aria.microsoft.com https://clients.config.office.net https://petrol.office.microsoft.com https://mgt.dev https://templates.adaptivecards.io/ https://graphexplorerapi-staging.azurewebsites.net/ https://canary.graph.microsoft.com/ https://default.exp-tas.com https://devxapi-func-prod-eastus.azurewebsites.net https://graphexplorer.microsoft.com". The action has been blocked.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://developer.microsoft.com/en-us/graph/graph-explorer'
2. Open DevTool
3. Click on 'Run query'
4. Change to Console in DevTools
5. 6. See error violates the following Content Security Policy directive: "connect-src

Screenshots

Desktop (please complete the following information):

• OS: Windows 11
• Browser Edge
• Version 147.0.3912.37

[lehrt]

I am not having any issues running graph explorer queries. The error you are seeing is unrelated to content rendering, its just our telemetry service.

Please give me more information about what query you are running and more details about the actual issue you're seeing.

[WilliamDO89]

I am not having any issues running graph explorer queries. The error you are seeing is unrelated to content rendering, its just our telemetry service.

Please give me more information about what query you are running and more details about the actual issue you're seeing.

I have updated a screenshot of the issue i'm facing, you can see the errors and the GUI just displaying "Loading"

[lehrt]

Thanks for the pictures. I'm pretty puzzled because I am not having this issue, nor is any other user that I've seen. Can you try a couple of things?

Please try several different calls. Does the issue persist?

If so, please open the network tools and run an api call. You should see it in the list of network calls, like below

Now please let me know what you see in the 'Response' section, two tabs to the right from the 'Header' section shown in the image. No need for pics, just let me know if there's a payload in there.

The content policy errors youre seeing are a red herring--that's just our telemetry service having trouble logging events. Whatever you're dealing with is unrelated to these errors.

[WilliamDO89]

@lehrt , thanks for the reply.

I can see the actual API calls returning data from the response tab, but its still just showing "loading..." on both on the GUI,

It does look like you are getting the same errors in the console.

"telemetry.ts:73 Connecting to 'https://eastus-8.in.applicationinsights.azure.com/v2/track' violates the following Content Security Policy directive: "connect-src https://dc.services.visualstudio.com https://browser.events.data.microsoft.com https://web.vortex.data.microsoft.com *.clarity.ms https://browser.pipe.aria.microsoft.com https://res.public.onecdn.static.microsoft https://res.df.onecdn.static.microsoft https://cdn.graph.office.net https://consentreceiverfd-prod.azurefd.net https://login.microsoftonline.com https://login.live.com https://www.microsoft.com https://statics.teams.microsoft.com https://controls.account.microsoft.com:44308 https://amcdn.msftauth.net http://amcdn.msauth.net/ https://mem.gfx.ms https://developer.microsoft.com https://graphprodblobstorage-secondary.blob.core.windows.net https://cdn.graph.office.net https://graphexplorerapi.azurewebsites.net https://login.microsoftonline.com https://graph.office.net https://graph.microsoft.com https://browser.pipe.aria.microsoft.com https://clients.config.office.net https://petrol.office.microsoft.com https://mgt.dev https://templates.adaptivecards.io/ https://graphexplorerapi-staging.azurewebsites.net/ https://canary.graph.microsoft.com/ https://default.exp-tas.com https://devxapi-func-prod-eastus.azurewebsites.net https://graphexplorer.microsoft.com". The action has been blocked."

[lehrt]

Yes, I have that error as well because it's caused by a larger issue with our app insights telemetry. It's not causing your specific issue.

Whatever's happening seems to be on your end, as it's not affecting any other users. Can you try accessing on a different computer (if it's a work laptop, perhaps try a personal one), or try a different browser just to get more info about when this happens/doesn't happen?