Reportviewer was not able to load data when enabled Content Security Policy

Li Shi Quan (NCS) 1 Reputation point

Reportviewer works fine without Content Security Policy, how to resolve the loading issues when enable CSP?

Reportviewer works with ScriptManager. and many auto js will inital added when page load. these js was stopped execute cased by CSP.

A set of technologies in the .NET Framework for building web applications and XML web services.
3,246 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Lan Huang-MSFT 25,386 Reputation points Microsoft Vendor

    Hi @Li Shi Quan (NCS) ,

    After the content security policy is enabled. Browsers examine the sources of pages and determine whether they meet the requirements of the content safety directive. When a resource does not comply with policy directives, the browser does not load the resource.
    For example, consider a policy that does not allow third-party scripting. When a page <scr ipt> contains markup with a third-party source in the src attribute, the browser prevents the script from loading.

    You can try the following:

    • Move all inline code and styles to a separate file and reference it.
    • Try adding a config entry as below: <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="default-src 'self';" /> </customHeaders> </httpProtocol> </system.webServer>
      The default-src directive defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media. Not all directives fallback to default-src. See the Source List Reference for possible values.

    More details can be found here:

    Best regards,
    Lan Huang

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Li Shi Quan (NCS) 1 Reputation point

    Hi LanHuang-MSFT

    thanks for your response. and sorry to late reply.
    ReportViewer was created in Webform and I even checked which mentioned CSP is not full support Webforms.
    like when we create ReportViewer or Girdview or some other controller which will auto generate some JS (Ajax js)in page. like __DoPostBack(). init ScriptResource.axd. and WebResource.axd. which is against CSP. appreciate if you can help provide solution to resolve the complicit between CSP and __DoPostBack(). init ScriptResource.axd. and WebResource.axd