0

https://csp-evaluator.withgoogle.com/ shows the classic ASP.net site I'm working on with the following results:

object-src 'none'; img-src 'self'; script-src 'self'; require-trusted-types-for 'script'

but it looks like none of my code that uses __DoPostback JS are working. Here's a snippet from web.config:

<rule name="CSP"> <match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" /> <action type="Rewrite" value="object-src 'none'; img-src 'self'; script-src 'self'; require-trusted-types-for 'script'" /> </rule>

Removing the require-trusted-types-for and script-src stanzas makes the JS work again, but also makes the site vulnerable to XSS.

Anyone aware of a solution? I've tried script-src url-of-base-site'`

This one looked promising but may be old enough where require-trusted-types-for 'script'; wasn't a thing yet? When I commented that last tag out of the custom headers, seems like inline scripts starting working; but I am getting at best a B- on observatory.mozilla.org

AlMo320
  • 125
  • 1
  • 9

1 Answers1

0

When setting "script-src 'self'" all executing scripts must be loaded in .js files from the same source. Your site is not particularly vulnerable to XSS with such a strong script-src.

If some third party code causes issues with CSP you basically have to modify it or replace it if you want if you don't want to change the CSP. In your case I would be happy with "script-src 'self'" and rather invest time into securing something else, even though a CSP evaluator says my policy isn't optimal.

Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9