Hello team,
Without a CSP, attackers can inject malicious scripts into web pages, leading to Cross-Site Scripting (XSS) vulnerabilities. This could allow attackers to steal cookies, session tokens, or perform actions on behalf of users.
So I have added below CSP in head tag of Layout.cshtml
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';">
But I am getting so many below errors in console and application also not working fine.
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-jJM8ABruwVX3rGcVNnQ2Dj3dMq5AyDhLGnN8uyg9hBo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Please let me know if there is any existing functionality for this, or how I can implement it.
1 Answer(s)
-
0
Hi @kansoftware
Can you change the structure you use as follows? At the same time, can you add the Content Security Policy to Startup.cs as a middleware, it would be safer. When you add this way, the console will not give an error. You need to organize external links and directives according to your own system.
app.Use(async (context, next) => { context.Response.Headers["Content-Security-Policy"] = "default-src 'self'; " + "script-src 'self' 'unsafe-inline'; " + "style-src 'self' 'unsafe-inline'; " + "img-src 'self' data:; " + "connect-src 'self' ws://localhost:64375 wss://localhost:44380 http://localhost:64375; " + "object-src 'none';"; await next(); });
