Snowpark Container Services: Ingress and web app security updates for Azure (Preview)

Attention

This behavior change is in the 2025_03 bundle.

For the current status of the bundle, refer to Bundle History.

As explained in Ingress and web app security, when you create a Snowpark Container Services service for web hosting (network ingress), for added security, the Snowflake proxy service monitors incoming requests to your service and outgoing responses from your service to the clients.

For Snowflake accounts on Azure, the proxy is changing the way that it modifies the Content-Security-Policy (CSP) response header:

Before the change:

The CSP does not provide the connectivity restrictions described in Responses outgoing to the clients.

As a result, application clients can connect to sites that are not defined in EAI.

After the change:

The CSP restricts application clients from connecting to sites that are not defined in the EAI.

Ref: 1953

Language: English