Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,933 questions
Problem with Content Security Policy on App Service
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 87%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Samo Simončič
1
Reputation point
We are hosting WordPress on the App Service. We would like to have google analytics but it seems that the default Content Security Policy on App Service blocks the google analytics request. We get the following error:
Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=UA-14354' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Can someone tell me where I can change Content Security Policy on App Service? I was trying to add the following code
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';"/>
</customHeaders>
</httpProtocol>
in web.confing file via Kudo but every time I get the following error:
The page cannot be displayed because an internal server error has occurred.
I will appreciate for help.
Samo
Azure App Service
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 55.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
ajkuma 28,036 Reputation points Microsoft Employee Moderator2021-09-08T20:29:24.38+00:00 Samo, While I'm checking on this internally, could you try these flow:
It could be either added as part of
web.configorapplication code<system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="default-src 'self'" /> </customHeaders> </httpProtocol> </system.webServer>In your case: <add name="Content-Security-Policy" value="default-src 'self';"/>
Test it out 1: <add name="Content-Security-Policy" value="default-src 'self'" />
Test it out 2: <add name="Content-Security-Policy" value="default-src 'self';" />Kindly let us know, I'll follow-up with you on this further.
Sign in to comment
Sign in to answer