Missing content security policy header - issue with chrome and firefox

Question

0.00/5 (No votes)

See more:

I have to fix Missing Content Security Policy Header issue for a Classic ASP application. We have added the below in Web.config

<system.webserver>
<httpprotocol>
<customheaders>
<add name="Content-Security-Policy" value="default-src" />

Post change in IE the application is working, but in Mozilla and Chrome the application is not rendering properly (the css are not loading properly).

If I will add the same in particular asp page too(Response.AddHeader "Content-Security-Policy","default-src"), the same issue is happening.

Please advise.

What I have tried:

I have to fix Missing Content Security Policy Header issue for a Classic ASP application. We have added the below in Web.config 

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Content-Security-Policy" value="default-src" />
        </customHeaders>
    </httpProtocol>
</system.webServer>
Post change in IE the application is working, but in Mozilla and Chrome the application is not rendering properly (the css are not loading properly). 

If I will add the same in particular asp page too(Response.AddHeader "Content-Security-Policy","default-src"), the same issue is happening.

Please advise.

Posted 29-Aug-17 6:18am

AmitSahoo

Updated 30-Aug-17 4:04am

Add a Solution

2 solutions

Solution 1

It's "working" in IE because IE doesn't support CSP headers, so it just ignores the policy and loads everything.

The behaviour in Firefox and Chrome would more correctly be described as "working", because they're doing exactly what you told them to: block everything.

You need to generate a valid policy header for your site.
CSP Cheat Sheet[^]
Generate your CSP[^]

If you don't want to read through the documentation, Mozilla have an extension for Firefox which should get you started:
Laboratory (Content Security Policy / CSP Toolkit) :: Add-ons for Firefox[^]

Posted 29-Aug-17 8:55am

Richard Deeming

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

AmitSahoo · Accepted Answer · 2017-08-30T04:04:00

Solution 2

The below tag is working now for me

XML

<add name="Content-Security-Policy" value= "script-src 'unsafe-inline' 'unsafe-eval' https://example.com; style-src 'self' 'unsafe-inline'" />

Now there is no error in Mozilla or Chrome. The page is rendering properly as the CSS and JS is loading properly in asp pages.

Posted 30-Aug-17 4:04am

AmitSahoo

Updated 30-Aug-17 4:06am

v2

Comments

Richard Deeming 1-Sep-17 14:03pm

Adding unsafe-inline and unsafe-eval provides virtually no protection. You might as well not have a CSP header at all!

Try Google's CSP Evaluator[^] to see what protection you're actually getting.

You should try to rewrite your application to avoid the use of inline script blocks and eval statements. Then, you'll be able to adjust your CSP header to make it more secure.