SignalR Content-Security-Policy issue

Question

I'm trying to implement .NET SignalR (v2.4.0) to some of our project but, SignalR $.connection.hub.start method give CSP error, we don't want to use 'unsafe-inline' CSP directive for scripts because of security conserns

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src

Is there any method or configuration to solve this problem?

Best Regards

score 0 · Answer 1 · answered Apr 09 '21 at 16:09

0

You may need to implement CORS depending on where you are loading resources from.

https://learn.microsoft.com/en-us/aspnet/signalr/overview/guide-to-the-api/hubs-api-guide-javascript-client#crossdomain

answered Apr 09 '21 at 16:09

Frank M

1,379
9
18

Hi, its not about CORS, i have already CORS implemented i can successfully request to server – Tutcugil Apr 09 '21 at 18:10
Cool. I saw the error with starting the connection and thought it might be that. – Frank M Apr 09 '21 at 19:56

score 0 · Answer 2 · answered Apr 09 '21 at 16:20

0

The violation message in the Chrome console:

Refused to execute inline script because it violates the following
 Content Security Policy directive: "script-src

means you have inline scripts kind of <script>...</script> on the page.

You can allow such scripts by using 'nonce-value' or 'hash-value' tokens. Alternatively you can move this script to external file, in this case it falls under script-src 'self' permission.

answered Apr 09 '21 at 16:20

granty

7,234
1
14
21

Hi, i don't have any inline scripts in my application, signalr start response has inline script and i cant add nonce or hash because signalr generates it automaticly – Tutcugil Apr 09 '21 at 18:09
May be you can override `HtmlTextWriter()` or `__doPostBack()` methods to intercept HTML and add 'nonce' on the fly, pls see [this topic](https://stackoverflow.com/questions/62722871/customize-web-form-script-generation/62802596#62802596). – granty Apr 17 '21 at 04:31

SignalR Content-Security-Policy issue

2 Answers2