Comments (4)
Errors can be fixed by adding
CustomSources = String.Join(" ", "localhost:*", "ws://localhost:*")
to connect-src
CustomSources = String.Join(" ", "localhost:*", "data:")
to img-src
CustomSources = String.Join(" ", ContentDeliveryNetwork.Google.Domain, ContentDeliveryNetwork.Microsoft.Domain, "localhost:*")
to script-src
(replace localhost with a domain where applicable)
... typical, fixing shortly after asking for help. However, I'm glad I did, because otherwise everyone else will have this problem, too.
In the script-src filter, adding this is also recommended:
#if DEBUG
UnsafeInline = true // DEFAULT = commented
#else
// UnsafeInline = true // DEFAULT = commented
#endif
It will prevent CSP violations for Glimpse.
from templates.
Thanks for raising this.
These CSP violation errors are cause by Visual Studio's browser link feature which runs at http://localhost:[Random Port]. Browser link works by injecting in-line script into your page. There is a comment about it in FilterConfig.cs. In my comment, I suggest either turning off CSP in code (Comment out AddContentSecurityPolicyFilters(filters)), or turning off browser link (Uncheck 'Enable browser link' in Visual Studio). Ideally Microsoft should support CSP, I have raised this on UserVoice.
The above approach works but ideally you should only add localhost:* to the white-list in debug mode (You can use the pre-processor directives you do below). I think your first set of code could be added to the project.
I would be interested to learn of any other reasons for CSP violations occurring, in particular where are you getting "It will prevent CSP violations for Glimpse". One I have noticed that you can ignore is a CSP violation for visiting the Elmah page while having Glimpse turned on.
from templates.
After a bit of testing I've found that adding to the script-src and img-src directives is enough to allow browser link:
filters.Add(
new CspImgSrcAttribute()
{
#if DEBUG
// Allow Browser Link to work in debug mode only.
CustomSources = string.Join(" ", "data:"),
#else
// Allow images from example.com.
// CustomSources = "*.example.com",
#endif
// Allow images from the same domain.
Self = true,
});
filters.Add(
new CspScriptSrcAttribute()
{
// Allow scripts from the CDN's.
CustomSources = string.Join(
" ",
#if DEBUG
// Allow Browser Link to work in debug mode only.
"localhost:*",
#endif
ContentDeliveryNetwork.Google.Domain,
ContentDeliveryNetwork.Microsoft.Domain),
// Allow scripts from the same domain.
Self = true,
// Allow the use of the eval() method to create code from strings. This is unsafe and can open your
// site up to XSS vulnerabilities.
// UnsafeEval = true,
// Allow in-line JavaScript, this is unsafe and can open your site up to XSS vulnerabilities.
// UnsafeInline = true
});
I'd be interested to know why you needed the extra directives. Thanks!
from templates.
This is a difficult one.
For MVC 6 I have asked that CSP be taken into consideration for Browser Link. If it could return the URL it is using, then that would solve all problems as we could add it to the white-list. No NWebSec for MVC 6 yet though anyway.
For MVC 5, I I have made the above fix for the next version.
from templates.
Related Issues (20)
- Add Security HTTP Headers
- Disabling Docker Leaves Cake File with No Default Task HOT 1
- Improve Docker Image Security
- Investigate New Docker Settings for HTTPS Support
- .NET 7 Improvements
- Unable to access health checks with Orleans template. HOT 3
- Consider using dotnet-releaser HOT 5
- Add Lets Encrypt Feature
- Add Open Telemetry Metrics
- Include `xunit.analyzers` HOT 2
- Donet Cake DockerBuild does not fail the GH action step HOT 3
- Enable reproducible builds HOT 1
- Add Dev Tunnels to launchSettings.json
- .NET 8 Improvements HOT 1
- Two assets found targeting the same path HOT 2
- Reporting a weird error with .NET 7 and changing hostingContext.HostingEnvironment.ApplicationName
- Swagger does not respond with bad request and instead responds with 406
- .editorconfig syntax errors when using EnableGenerateDocumentationFile
- error xUnit1030: Test methods should not call ConfigureAwait(), as it may bypass parallelization limits.
- Microsoft.AspNetCore.ApplicationInsights.HostingStartup is depreciated.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from templates.