I have implemented code to manage the Content Security Policy layer in my application.
My implementation is based on an ActionFilterAttribute
which was inspired from the code available here (I am including in the question for the sake of simplicity).
public override void OnResultExecuting( ResultExecutingContext context ) {
var result = context.Result;
if ( result is ViewResult ) {
if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Content-Type-Options" ) ) {
context.HttpContext.Response.Headers.Add( "X-Content-Type-Options", "nosniff" );
}
if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Frame-Options" ) ) {
context.HttpContext.Response.Headers.Add( "X-Frame-Options", "SAMEORIGIN" );
}
var csp = "default-src *;";
// once for standards compliant browsers
if ( !context.HttpContext.Response.Headers.ContainsKey( "Content-Security-Policy" ) ) {
context.HttpContext.Response.Headers.Add( "Content-Security-Policy", csp );
}
// and once again for IE
if ( !context.HttpContext.Response.Headers.ContainsKey( "X-Content-Security-Policy" ) ) {
context.HttpContext.Response.Headers.Add( "X-Content-Security-Policy", csp );
}
}
}
However, as you can see from the following pictures, I still get errors in the browser (Firefox in the sample). This is the developer console showing the header which are present:
And these are the console errors
What I am doing wrong, expecially for the last three errors in the console?