2

I have implemented code to manage the Content Security Policy layer in my application. My implementation is based on an ActionFilterAttribute which was inspired from the code available here (I am including in the question for the sake of simplicity).

public override void OnResultExecuting( ResultExecutingContext context ) {
    var result = context.Result;
    if ( result is ViewResult ) {
        if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Content-Type-Options" ) ) {
            context.HttpContext.Response.Headers.Add( "X-Content-Type-Options", "nosniff" );
        }
        if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Frame-Options" ) ) {
            context.HttpContext.Response.Headers.Add( "X-Frame-Options", "SAMEORIGIN" );
        }

        var csp = "default-src *;";

        // once for standards compliant browsers
        if ( !context.HttpContext.Response.Headers.ContainsKey( "Content-Security-Policy" ) ) {
            context.HttpContext.Response.Headers.Add( "Content-Security-Policy", csp );
        }
        // and once again for IE
        if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Content-Security-Policy" ) ) {
            context.HttpContext.Response.Headers.Add( "X-Content-Security-Policy", csp );
        }
    }
}

However, as you can see from the following pictures, I still get errors in the browser (Firefox in the sample). This is the developer console showing the header which are present:

Request headers

And these are the console errors

Console

What I am doing wrong, expecially for the last three errors in the console?

Nkosi
  • 191,971
  • 29
  • 311
  • 378
Lorenzo
  • 28,103
  • 43
  • 117
  • 208
  • The code snippet in the question seems to show you’re setting a `Content-Security-Policy: default-src *;` header, but the developer-console screen capture shows a `Content-Security-Policy: script-src 'self; style-src 'self', img-src 'self'`. Why? – sideshowbarker Oct 20 '17 at 09:50
  • It seems that the code block which add the Content Security Policy to the header (the one with the comment `once for standards compliant browsers`) does not run because the key is already present in the header. While the solution could be simple I would like to understand who added it... – Lorenzo Oct 20 '17 at 09:53
  • Well I also now notice that the console errors shown are for a CSP header that also has `script-src: https://localhost:5000` and `style-src: https://localhost:5000`… – sideshowbarker Oct 20 '17 at 09:57

1 Answers1

4

To eliminate the CSP errors in the console screen capture, you must make this header happen:

Content-Security-Policy:
  script-src 'self' https://cdnjs.cloudflare.com;
  style-src 'self' https://fonts.googleapis.com;
  img-src 'self' data:

(The value shown in that above is broken up across multiple lines just for readability.)

The key points are:

  • you need to have 'self' in there
  • you need to give the origin values for the third-party https://cdnjs.cloudflare.com and https://fonts.googleapis.com origins that you’re loading fonts and scripts from
  • you need to have data: in there to allow the data:image/gif URL in your markup

And if the document is really also loading resources from https://localhost:5000 then you need to have that in there too.

And if there’s already some other part of your backend that’s adding a CSP header, then it’s important to understand that any policy you add with an additional CSP header can only make the policy stricter, not more liberal.

So if the CSP header that’s being added elsewhere is a stricter one than you need, then you must find the part of the system which is adding that, and make it stop. And then you can add the more-liberal CSP header you need.

sideshowbarker
  • 62,215
  • 21
  • 143
  • 153