Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nikhil 54 posts 166 karma points
    Mar 04, 2020 @ 10:22
    Nikhil
    0

    Umbraco v8 - Breaks when "Content-Security-Policy" is added to web.config. Require an acceptable policy.

    I added:

    <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com https://cdnjs.cloudflare.com; style-src-elem 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com https://cdnjs.cloudflare.com; font-src 'self' https://stackpath.bootstrapcdn.com https://cdnjs.cloudflare.com;" />
    

    I had to add 'unsafe-inline' which defeats the whole purpose.

    Umbraco v8 would not work as a lot of cdn content is used in Umbraco.

    Is there any acceptable "Content-Security-Policy" for Umbraco v8 that works?

  • Jeavon Leopold 3074 posts 13632 karma points MVP 11x admin c-trib
    Mar 04, 2020 @ 12:59
    Jeavon Leopold
    0

    Either create a different policy for the Umbraco path or don't have a CSP for the umbraco path at all.

    e.g.

    <location path="umbraco">
        <system.webServer>
            <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
            <httpProtocol>
                <customHeaders>
                    <remove name="Content-Security-Policy" />
                </customHeaders>
            </httpProtocol>
        </system.webServer>
    </location>
    
Please Sign in or register to post replies

Write your reply to:

Draft