.NET Core - nwebsec - csp - multiple urls?

Question

I struggle to add multiple urls as script sources

I tried:

setting them all in the same ScriptSource string but it fails to run saying the url is invalid
so I chained them, yet it is not working as , only the last one is returned in the headers

headers received in chrome

content-security-policy: default-src 'self';script-src 'self' 'unsafe-inline' unpkg.com;style-src 'self' 'unsafe-inline';img-src 'self';block-all-mixed-content
content-security-policy-report-only: default-src 'self';img-src 'none'

.NET Core side :

app.UseCsp(opts => opts
    .BlockAllMixedContent()
    .DefaultSources(s => s.Self())

    .ImageSources(s => s.Self())

    .ScriptSources(s => s.Self())
    .ScriptSources(s => s.UnsafeInline())
    .ScriptSources(s => s.CustomSources("www.googletagmanager.com")
                            .CustomSources("www.googleanalytics.com")
                            .CustomSources("unpkg.com")
                        )

    .StyleSources(s => s.Self())
    .StyleSources(s => s.UnsafeInline())               
);

can some one help me on this ?

thanks for your help

score 1 · Answer 1 · answered Mar 18 '21 at 11:17

1

ok I finaly found it, it's a params parameter, so no array, just strings separated by ,

.ScriptSources(s => s.CustomSources("www.googletagmanager.com","www.googleanalytics.com","unpkg.com")
                        )

answered Mar 18 '21 at 11:17

phil123456

1,192
2
10
26

.NET Core - nwebsec - csp - multiple urls?

1 Answers1