Base solution for your next web application
Open Closed

Content Security Policy fails with Create Edit Modals - Ajax call #9583


User avatar
0
OutdoorEd created

NetZero 8.5 - ASP.NET Core 3.1 Jquery

We are using NWebSec to add Content Security Policy into ASP.NET Zero 8.5. We’re using nonces on all script tags in the application as such (so using the tag helper):

<script nws-csp-add-nonce="true">

We’re getting a CSP error on the administration pages where the modal window is being loaded.

[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-LxksDtd8QWExYudx431bw42g' 'unsafe-eval' www.google.com cse.google.com kendo.cdn.telerik.com cdnjs.cloudflare.com cdn.jsdelivr.net *.vimeo.com localhost". Either the 'unsafe-inline' keyword, a hash ('sha256-A89G9Jx+cHr6joI5m9XkZvnSPnz+jSxZZlJRNjwuHqc='), or a nonce ('nonce-...') is required to enable inline execution.

I assume we’re getting this error because the content of the modal (CreateOrEditModal) is loading content dynamically (through Ajax). We have added the following configuration in the Startup for NWebSec:

app.UseHsts(options => options.MaxAge(days: 30)); //app.UseNoCacheHttpHeaders(); //Registered after static files, to set headers only for dynamic content. app.UseRedirectValidation(); //Registered after static files, they don't redirect app.UseReferrerPolicy(options => options.StrictOriginWhenCrossOrigin()); //app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseXContentTypeOptions(); app.UseXDownloadOptions(); app.UseXfo(options => options.SameOrigin()); //app.UseXfo(options => options.Deny()); app.UseXRobotsTag(options => options .NoIndex() .NoFollow() .NoArchive() .NoImageIndex() .NoOdp() .NoSnippet() .NoTranslate() ); app.UseXXssProtection(options => options.EnabledWithBlockMode());

        app.UseCspReportOnly(options => options
            .UpgradeInsecureRequests()
            .DefaultSources(s => s
                .Self()
                .CustomSources("data:")
                .CustomSources("https:")
                )
            .FontSources(s => s
                .Self()
                .CustomSources("fonts.googleapis.com", "*.fontawesome.com", "kendo.cdn.telerik.com", "*.vimeo.com"))
            .FormActions(s => s.Self())
            .FrameAncestors(s => s.Self())
            .FrameSources(s => s
                .Self()
                .CustomSources("*.youtube.com", "*.vimeo.com", "app.powerbi.com"))
            .ImageSources(s => s
                .Self()
                .CustomSources("kendo.cdn.telerik.com", "*.youtube.com", "*.vimeo.com", "data:"))
            .MediaSources(s => s
                .Self()
                .CustomSources("*.youtube.com", "*.vimeo.com"))
            .ScriptSources(s => s
                .Self()
                .CustomSources("www.google.com", "cse.google.com", "kendo.cdn.telerik.com", "cdnjs.cloudflare.com", "cdn.jsdelivr.net", "*.vimeo.com", "localhost")
                .UnsafeEval() //TODO Required for Kendo
                )
            .StyleSources(s => s
                .Self()
                .UnsafeInline()
                .CustomSources("*.google.com", "fonts.googleapis.com", "kendo.cdn.telerik.com", "cdn.jsdelivr.net", "*.vimeo.com", "*.youtube.com", "shepherdjs.dev/dist/css/shepherd.css"))
         );

Is there a way to get around these exceptions as basically, we can’t enable CSP on the application now since it’ll block all admin pages?


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi **@outdoored **

    We haven't used this library before. Could you crete a simple modal page with just a simple text content and try to open it ?