0

In a small ASP.NET MVC test application, I added the appropriate httpProtocol code to the web.config file, as described in this article:

  <system.webServer>
    <handlers>
      <remove name="BlockViewHandler"/>
      <add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
    </handlers>
      <httpProtocol>
          <customHeaders>
              <add name="Content-Security-Policy" value="default-src 'self'" />
          </customHeaders>
      </httpProtocol>
  </system.webServer>

However, on a test page in the application, the Vue.js code still works, which, since it is being loaded from a CDN, the content security policy should be blocking it.

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Home Page2 - Meine ASP.NET-Anwendung</title>
    <link href="/Content/bootstrap.css" rel="stylesheet"/>
<link href="/Content/site.css" rel="stylesheet"/>

    <script src="/Scripts/modernizr-2.6.2.js"></script>


    <script src="https://cdnjs.cloudflare.com/ajax/libs/vue/2.1.4/vue.js"></script>
</head>
<body>
    <div class="container mainMenu">
        <ul>
            <li><a href="/">Start Page</a></li>
            <li><a href="/Home/About">About</a></li>
            <li><a href="/Home/Contact">Contact</a></li>
            <li><a href="/Home/Info">Info</a></li>
        </ul>
    </div>
    <div class="container body-content">
        <hr/>



<div id="app">
    this is a test: <b>{{message}}</b>
</div>


<script>

    var app = new Vue({
        el: '#app',
        data: {
            message: 'Vue.js ready'
        }
    });
</script>
        <hr/>
        <footer>
            <p>The footer</p>
        </footer>
    </div>

    <script src="/Scripts/jquery-1.10.2.js"></script>

    <script src="/Scripts/bootstrap.js"></script>
<script src="/Scripts/respond.js"></script>


</body>
</html>

What do I have to do to get the Content Security Policy to actually take effect in my site?

ADDENDUM

I can see in my dev tools, that the Content-Security-Policy is not being sent in the response headers:

enter image description here

Edward Tanguay
  • 189,012
  • 314
  • 712
  • 1,047
  • 1
    You may first need something like then add your custom header, This is how I modify mimetype few years ago. – Anirudha Gupta Jul 10 '18 at 09:38
  • check this https://stackoverflow.com/a/49344540/713789 – Anirudha Gupta Jul 10 '18 at 09:42
  • @Adrian, I added `` one line above ``, but it had no effect. – Edward Tanguay Jul 10 '18 at 09:42
  • 1
    Have you confirmed that the header is being set correctly using the dev tools or something like postman? – Kirk Larkin Jul 10 '18 at 09:55
  • check the resulting request to see whether the header is actually being sent or not. – ADyson Jul 10 '18 at 09:56
  • @EdwardTanguay try it by modifying the applicationHost.config – Anirudha Gupta Jul 10 '18 at 09:58
  • I don't see Content-Security-Policy in headers shown in dev tools, I posted a screenshot above. – Edward Tanguay Jul 10 '18 at 10:51
  • @Adrian if we wanted to set this for all sites, I would set it in the Default Site settings in IIS (Http-Response-Headers), which we have determined works. But we would like to be able to set this individually for each site, which is why we want to it it working in the `web.config` file. – Edward Tanguay Jul 10 '18 at 11:14
  • 1
    @EdwardTanguay No, I mean that you can set per site in ApplicationHost. It has more priority than application web.config. check my earlier link. in that link person does that for his site specifically. – Anirudha Gupta Jul 10 '18 at 11:19
  • @EdwardTanguay I wanted to check-in to see if you were able to get your content policy working in your Web.config? – Trav Feb 22 '22 at 17:46

1 Answers1

0

Seeing the configuration block below in your question, makes me assume you have added the <httpProtocol><customHeaders> ... section to the web.configfile in the Views folder instead of the web.config file in the root of your website.

<system.webServer>
    <handlers>
        <remove name="BlockViewHandler"/>
        <add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
    </handlers>
</system.webServer>
pfx
  • 20,323
  • 43
  • 37
  • 57