ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,254 questions
How to Properly Use Response Headers for Content Security Policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 90%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
lesponce
176
Reputation points
A code scanning report is identifying a vulnerability indicating that a Content Security Policy is not explicitly defined within the web application. I've tried the code below, but for some reason it's affecting my SSO functionality. Once I get authenticated, the I get error: Failed to load resource: the server responded with a status of 502.
I got the error after I added the code below. It may be possible that I'm overcomplicating the code related to the policies. If I remove the code related to the "Content-Security-Policy", it works fine. I just need to mitigate the issue.
This works fine in my DEV environment, but issue occurs in my test environment.
Any feedback is greatly appreciated.
app.use(async (context, next) => {
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Add("Content-Security-Policy",
"script-src 'self' 'unsafe-eval' 'unsafe-inline' maxcdn.bootstrapcdn.com;"
+ "style-src 'self' 'unsafe-inline' maxcdn.bootstrapcdn.com fonts.googleapis.com;"
+ "font-src 'self' 'unsafe-inline' maxcdn.bootstrapcdn.com fonts.googleapis.com;");
await next();
}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 57.99999999999999%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Jerry Fu - MSFT 561 Reputation points Microsoft Vendor2023-08-17T07:11:46.0633333+00:00 Could you open Developer tools(F12) in the browser and check the "console" tag to see if there are specific reject details? From my view, the difference between DEV environment and test environment is 'self'.
-
lesponce 176 Reputation points
2023-08-17T15:04:35.8633333+00:00 I simplified the script to the following code:
default-src * 'unsafe-inline' maxcdn.bootstrapcdn.com
I'm not getting error, but the code scan reports says this code is overly permissive. Any thoughts to resolve this?
-
Jerry Fu - MSFT 561 Reputation points Microsoft Vendor
2023-08-18T07:46:12.4733333+00:00 How about try simplified the script to produce the error? There should be error details in F12.
Sign in to comment