Embedded Quick Chat broken: QuickSight iframe CSP blocks eval() in its own Q Business SDK, causing CSRF failure

Q&A
,
1

Hi,

I wanted to share my findings after spending a significant amount of time debugging why embedded Quick Chat stopped working, in case it helps others and to add visibility to what appears to be a QuickSight-side bug.

Setup

  • Region: eu-west-1

  • SDK: amazon-quicksight-embedding-sdk v2.11.2

  • Experience: GenerateEmbedUrlForRegisteredUser with ExperienceConfiguration: { QuickChat: {} } + embedQuickChat()

  • Auth: IAM Identity Center (Microsoft Entra federated users)

Symptom

The Quick Chat UI loads correctly inside the embedded iframe, the input box appears, you can type a question and hit send. But the question disappears immediately with no response. No error is shown to the user.

Root cause (confirmed via browser DevTools)

After extensive debugging, here is the exact chain of failures:

  1. Browser DevTools Issues panel reports that QuickSight’s own iframe CSP blocks eval() in two of QuickSight’s own scripts loaded inside the embedded iframe:

    • q_optimus_remote.f84...821f5147b1.22.jsscript-src blocked

    • hilo_task_center_rem...2e195ec0d5e.22.jsscript-src blocked

  2. Because eval() is blocked, the CSRF token initialisation code never runs

  3. Every POST to the Q Business proxy returns:

{"Message":"csrf token missing or not match."}

401 Unauthorized on /qbsproxy/quicksight/accounts/{account-id}/quick-analytics/metrics/QBizWeb/appmonitors/0

  1. No streaming response is ever received and the chat UI resets

Key observations

  • Quick Chat works perfectly in the QuickSight console (first-party context, more permissive CSP)

  • Fails only in the embedded iframe (cross-origin context, stricter CSP)

  • Third-party cookie settings are irrelevant, the CSRF token is generated in JavaScript, not stored in a cookie

  • The chat API itself returns 200, the question is processed, but the response never arrives because the streaming channel is broken

Conclusion

This seems like a QuickSight server-side bug: the embedded Quick Chat iframe’s Content-Security-Policy does not include unsafe-eval, but the Amazon Q Business SDK loaded inside that same iframe requires eval() to function. Their own scripts are blocked by their own CSP.

Has anyone else hit this? Has AWS acknowledged it or provided a workaround? I ended up switching to embedGenerativeQnA() with a Q topic as a workaround.

2

Hi @anasia and welcome back to the Quick Community!

I have not experienced this, nor have I noticed other community members experience this but based on what you have all said I do agree it seems to be a bug on the quicksight side. I think your current workaround is good as it essentially avoids the CSRF issue, but I understand that the Q Topic is not the same as the chat agent. Like I previously stated, I have not noticed if other users have experienced this, so I am not sure if AWS is aware of this bug. I would recommend creating a support ticket to help get this issue further documented as well as the support team will be able to further investigate into the cause of this. Please refer to this resource on how to create a support ticket (Case management - AWS Support).