How to use xdt-transform when the Web.config element already contains a different xmlns

Question

Using Visual Studio Web.Config Transforms, I want to include the following line in Web.Debug.Config: <add source="*.amazonaws.com" />

This is my Web.config

<configuration>
  <!--
    -- More config here
  -->
  <nwebsec>
    <httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
      <securityHttpHeaders>
        <content-Security-Policy enabled="true">
          <default-src none="true" />
          <script-src self="true" unsafeEval="true">
            <add source="https://cdnjs.cloudflare.com"/>
          </script-src>
          <style-src unsafeInline="true" self="true">
            <add source="https://cdnjs.cloudflare.com"/>
          </style-src>
          <img-src self="true">
            <add source="data:" />
            <add source="*.w3.org"/>
            <!-- ******** I want to insert new source here for Dev ******** -->
          </img-src>
          <object-src none="true" />
          <media-src none="true" />
          <frame-ancestors none="true" />
          <report-uri enableBuiltinHandler="true"/>
        </content-Security-Policy>
      </securityHttpHeaders>
    </httpHeaderSecurityModule>
  </nwebsec>
</configuration>

I have done what is suggested here, in Web.Debug.config:

<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <system.web></system.web>
  <nwebsec>
    <httpHeaderSecurityModule> <!-- I have remove xmlns=... from this element -->
      <securityHttpHeaders>
        <content-Security-Policy enabled="true">
          <img-src self="true" xdt:Transform="Remove" />
          <img-src self="true" xdt:Transform="InsertIfMissing">
            <add source="data:" />
            <add source="*.w3.org"/>
            <add source="*.amazonaws.com" />
          </connect-src>
        </content-Security-Policy>
      </securityHttpHeaders>
    </httpHeaderSecurityModule>
  </nwebsec>
</configuration>

But the new line is not added, how can I do this?

I think this is because httpHeaderSecurityModule has xmlns attribute but don't know how to solve this issue?

Note that I have removed the xmlns=... from httpHeaderSecurityModule in the transform file, if I include the namespace I get the following syntax error:

The 'http://schemas.microsoft.com/XML-Document-Transform:Transform' attribute is not declared

score 1 · Answer 1 · answered Sep 17 '21 at 01:07

I am not sure if there is a better solution but I could not get the transforms working inside httpHeaderSecurityModule (which has xmlns=...) element, according to MS documentation:

The root element of a transform file must specify the XML-Document-Transform namespace in its opening tag

The only way that I could do this transform was to replace everything above the element which has xmlns, i.e.

  <nwebsec xdt:Transform="Remove" />
  <nwebsec xdt:Transform="InsertIfMissing">
    <httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
      <securityHttpHeaders>
        <content-Security-Policy enabled="true">
          <default-src none="true" />
          <script-src self="true" unsafeEval="true">
            <add source="https://cdnjs.cloudflare.com"/>
          </script-src>
          <style-src unsafeInline="true" self="true">
            <add source="https://cdnjs.cloudflare.com"/>
          </style-src>
          <img-src self="true">
            <add source="data:" />
            <add source="*.w3.org"/>
            <!-- ******** I want to insert new source here for Dev ******** -->
          </img-src>
          <object-src none="true" />
          <media-src none="true" />
          <frame-ancestors none="true" />
          <report-uri enableBuiltinHandler="true"/>
        </content-Security-Policy>
      </securityHttpHeaders>
    </httpHeaderSecurityModule>
  </nwebsec>

score 0 · Answer 2 · answered Mar 02 '22 at 08:36

One alternative could be to use a separate config file instead of a full transformation. You can do something like this:

<nwebsec xdt:Transform="Remove" />
  <nwebsec xdt:Transform="InsertIfMissing">
  <httpHeaderSecurityModule configSource="NWebsec.config" >
  </httpHeaderSecurityModule>
</nwebsec>

Unfortunately you cannot directly use the nwebsec elemente (see here why).

How to use xdt-transform when the Web.config element already contains a different xmlns

2 Answers2