How to enable CSP in asp:UpdatePanel without having to write 'unsafe-inline'

Question

I have an asp:UpdatePanel and asp:ScriptManager in my web form. When I enable CSP in the web.config as below, the functionality of the pages are not working like 'OnSelectedIndexChanged' event of asp:DropDownList and many more.

<add name="Content-Security-Policy" value="default-src 'self' ; script-src 'self'; style-src 'self' ; font-src 'self' ; connect-src * 'self'; img-src * 'self' data: https: data: http:;object-src 'self'" />

Kindly help on how I can fix this issue without writing 'unsafe-inline'.

Answer 1

AFAIK you aren't going to be able to get this to work. WebForms pretty much requires unsafe inline scripting and unsafe eval so it cannot be disabled in the CSP. It might work in the simplest of example pages but not in a more realistic situation.

Having said that, refer to this Stack Overflow post where there is talk about setting some script manager options that may help a little but the 2 unsafe options are still pretty much required. You'd need to move away from Web forms to meet more current CSP standards.

Answer 2

if you want to use CSP with webforms and not require unsafe-inline, your code (or any controls you call) can not use the webform script manager RegisterClientScriptBlock() or RegisterStartupScript() methods as they produce inline script.

note: back when I coded webforms, I wrote my own script manager which allowed me to change the generated javascript. you could do the same and add support for a nonce.