Issues with implementation of Content security policy header in ASP.NET Web Forms application.

Question

Issues with implementation of Content security policy header in ASP.NET Web Forms application.

Prasad Khalane 20

Apr 15, 2023, 4:43 AM

Hi Team, We are facing below five issues while adding CSP header in Asp.Net Web Forms application. Please guide to fix these issue with minimum changes.

Application is not able to execute inline scripts after adding CSP to web.config file. Example: <script type="text/javascript"> var applicationdomain; function initLoad() { document.body.style.display="none"; if( top.document.domain == applicationdomain ) { document.body.style.display=""; } else { top.location = self.location; } } </script> Currently, we have more than 100 inline scripts tags which are not working.
Apart from these, Asp.Net auto injects some scripts at runtime to handle post back and other events. These scripts are also blocked by CSP. Example: <script type="text/javascript"> //<![CDATA[ var theForm = document.forms['aspnetForm']; if (!theForm) { theForm = document.aspnetForm; } function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } //]]> </script>
Inline events are blocked by CSP. Example: <a id="ctl00_LoginStatus1" onclick="closePops(&#39;cf0a3db0-7af3-42a5-87cd-23f12617d258');" class="logout" href="javascript:__doPostBack('ctl00$LoginStatus1$ctl00','')">Logout</a>
Inline styles are also blocked by CSP. <div id="ctl00_MessageSummary" class="ErrorValidationMessage" style="color:Red;width:100%;display:none;"> </div> <div id="ctl00_ValidationSummary1" class="ErrorValidationMessage" style="color:Red;width:100%;display:none;"> </div> <div id="ctl00_ValidationSummary2" class="ErrorValidationMessage" style="color:Red;width:100%;display:none;"> Currently, we have more than 1000 inline style elements in our application
CSP also blocking execution of WebResource.axd file. Example: We are using custom control in our application: [assembly: WebResource("Common.Javascript.MultiLine.js", "application/x-javascript")] namespace Internet.CM { [DefaultProperty("Text")] [ToolboxData("<{0}:MultiLine runat=server></{0}:MultiLine>")] public class MultiLine : TextBox { [Bindable(true)] [Category("Appearance")] [DefaultValue("")] [Localizable(true)]

AgaveJoe 29,871 Reputation points

Apr 16, 2023, 12:02 AM

The Web Forms framework does not support CSP.
Prasad Khalane 20 Reputation points

Apr 16, 2023, 7:15 AM

Hi, Actually there are some workarounds available like adding hash/nonce as a source. However, we need to apply these changes to all scripts. Instead we are looking how can we achieve the with minimum changes.
AgaveJoe 29,871 Reputation points

Apr 16, 2023, 10:29 AM

For the second time! The Web Forms framework does not support CSP. Web Forms is at least 10 years older than the first CSP specification.
QiYou-MSFT 4,326 Reputation points Microsoft External Staff

Apr 17, 2023, 5:57 AM

Hi @Prasad Khalane

First, there are many server controls in Webform that need to be converted to HTML controls. This conversion requires some axd files, such as ScriptResource.axd. CSP generally do not allow external JavaScript. I've also had this issue once, I tried adding random numbers and hash encoding to make CSP compatible with this file but both failed. But CSP works perfectly in ASP.NET MVC. Best Regards

Qi You
Anuj Dubey 0 Reputation points

Jan 25, 2024, 10:25 AM

Hi @Prasad Khalane , did you find any soln for these CSP issues?