Disabling NWebsec CSP in Admin folder

Question

I am implementing csp with NWebsec in an MVC application (not core) I am referring to this post: Applying different Content Security Policies to different directories with NWebSec

I have entries in the web.config file at the root of the site and they work fine. I want to disable the csp on all the admin pages. The route to the admin is ~/Admin. The Admin files are in Areas/Admin and the web.config is in Areas/Admin/Views. I have found some posts about overriding nwebsec in a location, but nothing I am trying works. The main web.config has

  <location path="." allowOverride="true">
        <nwebsec>
    ...
     <content-Security-Policy-Report-Only enabled="true">
    ...
       </content-Security-Policy-Report-Only>

    </nwebsec>
    </location>

The web.config in the Areas/Admin/Views folder has

   <location path="." allowOverride="true">
        <nwebsec>
    ...
     <content-Security-Policy-Report-Only enabled="false">
    ...
       </content-Security-Policy-Report-Only>

    </nwebsec>
    </location>

I've also tried <content-Security-Policy-Report-Only enabled="true"> in the web.config in the Admin folder and changing some of the rules, but the CSP in the root web.config is still being applied.

Thanks for any help.

Disabling NWebsec CSP in Admin folder

0 Answers0