Power Automate HTTP Flow Calls Fail Inside a Power Apps Code App

on

Why Your Power Automate HTTP Flow Calls Fail Inside a Power Apps Code App

Power Platform · Power Automate · Content Security Policy



You've built a Power Apps code app that triggers a Power Automate flow via an HTTP request. It works perfectly in your local development environment. You deploy it to Power Apps and every fetch() call to the flow endpoint fails immediately with this:


Connecting to 'https://***.environment.api.powerplatform.com…/triggers/manual/run'

violates the following Content Security Policy directive: "connect-src 'none'".
The action has been blocked.

TypeError: Failed to fetch. Refused to connect because it violates the
document's Content Security Policy.

No network request ever leaves the browser. The flow is never triggered. Here's what's actually happening and how to fix it.



The Root Cause

Power Apps code apps run hosted inside the Power Apps player, which injects its own Content Security Policy into the page. This includes connect-src 'none' — the browser is explicitly told to block all outbound connections from that context.

When multiple CSP headers are present, the browser enforces the most restrictive combination. So even if your code app's own HTML defines a permissive connect-src, the host's 'none' wins. This is specified behaviour per the CSP Level 3 spec (§7.3 — Multiple Policies) and cannot be worked around in your application code. The block happens at the browser networking layer before any HTTP activity takes place.

This is why the error surfaces as a generic TypeError: Failed to fetch — your catch block fires, but no request was ever sent. It is not a CORS issue, not a flow configuration issue, and not a problem with your flow trigger URL.



The Fix: Configure connect-src in the Admin Center

This must be resolved at the environment level by an environment administrator. Developers cannot self-serve this change.

1. Open the CSP settings

  1. Sign in to the Power Platform Admin Center
  2. In the navigation pane, select Manage → Environments
  3. Select your environment, then select Settings in the command bar
  4. Expand Product and select Privacy + Security
  5. Under Content security policy, select the App tab

2. Configure the connect-src directive

In the Configure directives section, find connect-src and turn off the default toggle. In the Source list, add:


*.powerplatform.com


This covers the *.environment.api.powerplatform.com domain that Power Automate HTTP flow trigger URLs resolve to. Custom values are merged with the platform's defaults — you are extending the policy, not replacing it. If your code app calls any other external APIs, add those domains here too, keeping the list as narrow as possible.


3. Optionally enable violation reporting

Turn on Enable reporting and point it at a logging endpoint if you want visibility into CSP violations across the environment. Reporting fires independently of enforcement, so you can run it in audit mode to survey the impact before making further policy changes.

Save and allow 5–15 minutes for the change to propagate. Hard-refresh your browser and clear the cache before retesting — stale policy headers will make it look like nothing changed.



Key Takeaways

  • The block is enforced by the browser, not by the flow or the server — no amount of flow reconfiguration will fix it
  • Your local dev environment doesn't reproduce this because it isn't subject to the Power Apps host's CSP
  • The fix lives in Admin Center → Privacy + Security → Content security policy → App tab, not in your app code
  • You need environment administrator access to apply it — if you don't have it, bring the specific domain (*.powerplatform.com) to whoever manages your Power Platform environment

 

Comments

Post a Comment