For content security policy how do I allow self and a static url as well as unsafe JS?

Question

I am trying to configure this in an ASP.NET MVC application in the web.config as follows:

<nwebsec>
  <httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
    <securityHttpHeaders>
       <content-Security-Policy-Report-Only enabled="true">
          <default-src self="true">
             <add source="https://static.mydomain.com" />
             <add source="unsafe-inline" />
             <add source="unsafe-eval" />
          </default-src>
       </content-Security-Policy-Report-Only>
    </securityHttpHeaders>  
</httpHeaderSecurityModule>
</nwebsec>

which means I end up with a header that looks as follows:

default-src 'self' https://static.mydomain.com unsafe-inline unsafe-eval

but this is still failing my page because inline scripts are not allowed. I am guessing I want my header to look like:

default-src 'self unsafe-inline unsafe-eval' https://static.ozcruising.com.au

So my question is how do I change my NWebSec configuration to allow inline scripts to be allowed from the page itself (same origin) as well as support serving content from https://static.mydomain.com?

Answer 1

Unsafe-inline is only relevant for script-src and style-src and unsafe-eval is only relevant for script-src. Thus these cannot be configured at the default-src level. You have to do it this way:

<default-src self="true">
  <add source="https://static.mydomain.com" />
</default-src>
<script-src self="true" unsafeInline="true" unsafeEval="true">
  <add source="https://static.mydomain.com" />
</script-src>
<style-src self="true" unsafeInline="true">
  <add source="https://static.mydomain.com" />
</style-src>

You have to specify self and static.mydomain.com again in script-src and style-src because more specific *-src clears everything default-src had specified.