Version: Enterprise Edition v2026.1 (119033)
Deployment: Unknown (Corporate system)
what are you trying to achieve
I am trying to see SonarQube badges in an Azure Devops Markdown dashboard which now looks like this:
This was working until Microsoft added some additional security checks that apparently check for a CORS header to be present. It was reported to Microsoft and after analyses considered as “working as designed”. See this thread.
what have you tried so far to achieve this
I have checked the header returned by the Sonar server:
~ () http "https://on.prem.server.com/sonarqube/api/project_badges/measure?project=MyProject&metric=coverage&token=mytoken"
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 4779
Content-Security-Policy: default-src 'self'; base-uri 'none'; connect-src 'self' http: https:; font-src 'self' data:; frame-src; img-src * data: blob:; object-src 'none'; script-src 'self' 'sha256-hK8SVWFNHY0UhP61DBzX/3fvT74EI8u6/jRQvUKeZoU='; style-src 'self' 'unsafe-inline'; worker-src 'self'
Content-Type: image/svg+xml
Date: Mon, 13 Apr 2026 09:02:21 GMT
Etag: W/493733241156943488
Strict-Transport-Security: max-age=315360000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
I am looking for a solution to this issue to keep using our badge based dashboard in ADO (or find an equivalent alternative solution)