I have a Blazor server-side and I added the following tag:
<meta http-equiv="Content-Security-Policy"
content="base-uri 'self';
default-src 'self';
img-src data: https:;
object-src 'none';
script-src 'self';
style-src 'self' 'unsafe-inline';
upgrade-insecure-requests;">
I'm getting the following errors:
Refused to connect to 'http://localhost:58126/c5f3e2f1da1843188844fd8515c3ca3b/browserLinkSignalR/negotiate?requestUrl=https%3A%2F%2Flocalhost%3A44350%2FDashboard&browserName=&userAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64)+AppleWebKit%2F537.36+(KHTML%2C+like+Gecko)+Chrome%2F109.0.0.0+Safari%2F537.36&browserIdKey=window.browserLink.initializationData.browserId&browserId=2655-11e6&clientProtocol=1.3&_=1675268211057' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
and
Refused to connect to 'wss://localhost:44393/KeyAccount.Web/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
How can I fix these problems?
Related
A client wants us to add a script-src security policy to our software so that it satisfies their security standards. I have managed to create a relatively secure policy that still allows our code to run... EXCEPT I am getting a console error in my browser that says "Refused to execute inline script because it violates the following Content Security Policy directive" and that points to the file jquery-3.5.1.min.js. The error doesn't give me any more useful details. (It doesn't indicate a specific line in our code as being the problem.)
From what I can tell from the jQuery message boards, this sort of problem was fixed in jQuery several versions ago, so I have no idea why it's happening in this case.
I've also seen that some people access jQuery from a remote URL so the fix is to simply add that URL to script-src, but the current plan is to keep accessing jQuery from a local file.
I need to figure out how to stop getting this error without just making the code so unsafe that it defeats the purpose of using script-src in the first place (at which point the code would probably just fail the client's security scan again).
My current approach to the script-src policy has been to use a nonce. AFAIK, the nonce can't be generated by or brought into Web.config, so the only CSP in Web.config is this:
<add name="Content-Security-Policy" value="object-src 'none';" />
The Configuration() method inside Startup.cs calls another method called ConfigureNonce(), which is what creates the nonce and establishes the script-src policy:
private void ConfigureNonce(IAppBuilder app)
{
app.Use((context, next) =>
{
var rng = new RNGCryptoServiceProvider();
var nonceBytes = new byte[32];
rng.GetBytes(nonceBytes);
var nonce = Convert.ToBase64String(nonceBytes);
context.Set("ScriptNonce", nonce);
context.Response.Headers.Add("Content-Security-Policy",
new[] { string.Format("script-src 'self' 'unsafe-eval' xxxxxx yyyyyy http://localhost:* 'nonce-{0}'", nonce) });
return next();
});
}
'xxxxxx' is the URL of an external provider we use for a certain widget.
'yyyyyy' is the URL of our help documentation.
'unsafe-eval' is apparently necessary because we use Kendo. [Thanks, Kendo...]
'localhost' is apparently necessary in development to stop getting a script-src violation due to Browser Link, but it will need to be removed when we go to production. [Thanks, Visual Studio...]
Finally, I have made a new helper file called NonceHelper.cs that just contains this:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
namespace dTIMSi.Helpers
{
public static class NonceHelper
{
public static IHtmlString ScriptNonce(this HtmlHelper helper)
{
var owinContext = helper.ViewContext.HttpContext.GetOwinContext();
return new HtmlString(owinContext.Get<string>("ScriptNonce"));
}
}
}
All of this enables me to see what web browser console errors I get for inline scripts (there are a lot), go to whatever line of code each error is indicating, and just add the nonce, like so:
<script type="text/javascript" nonce="#Html.ScriptNonce()">
//bla bla bla, doin' some inline script stuff
</script>
Hopefully that all makes sense and is OK. But why am I getting an error on the jQuery file and how can I fix it?
I have a Blazor server-side app and I added the following the <head> of _Host.cshtml:
<meta http-equiv="Content-Security-Policy"
content="base-uri 'self';
default-src 'self';
img-src data: https:;
object-src 'none';
script-src 'self';
style-src 'self' 'unsafe-inline';
upgrade-insecure-requests;">
I originally all the hashes that were reported in the console. But the errors are still reported. I had to remove the hashes and add unsafe-inline. I'd rather have the hashes instead.
What am I missing?
Most likely the hashes are for inline event attributes such as onclick, onload etc. These can't be hashed, but the browser provides them in the errors anyway. You will need to rewrite with event listeners.
In Client application i have set below configuration and in postLogoutRedirectUri parameter set as sign-oidc url but still able to redirect to singin-oidc url and Auth service i have used using ADFS , openid connect and identity server using .Net 6.
config: {
authority: 'https://localhost:6001',
clientId: 'Test',
**postLogoutRedirectUri: 'http://localhost:6269/signin-oidc',**
redirectUrl:'http://localhost:6269/signin-oidc',
scope: 'openid profile',
responseType: 'code',
autoUserInfo: true,
silentRenew: true,
useRefreshToken: true,
logLevel: LogLevel.Debug
},
how can i redirect to signin-oidc page ?
You need to enable both frontchannel_logout support and session supported to true.
Example:
Here
Then make sure your ADFS Server implements the allow url by
Set-AdfsClient -TargetIdentifier <id> -LogoutUri http://localhost:5000/logout
If this is a server application
Set-AdfsServerApplication -TargetIdentifier <id> -LogoutUri http://localhost:5000/logout
So you can change your URL to something like this
https://localhost:6269/adfs/oauth2/logout?id_token_hint=<current_Id_Token>&post_logout_redirect_uri=http://localhost:6269
I'm trying to get an action to fire but getting the following error...
ArgumentException: IDX20108: The address specified '[PII is hidden.
For more details, see https://aka.ms/IdentityModel/PII.]' is not valid
as per HTTPS scheme. Please specify an https address for security
reasons. If you want to test with http address, set the RequireHttps
property on IDocumentRetriever to false. (Parameter 'address')
How do I set the RequireHttps property to false?
The line triggering the error is...
await HttpContext.ChallengeAsync("Schema", new AuthenticationProperties() {});
I have a web application in which I have added a ContentSecurityPolicy middleware configured like this
options[CspDirective.FormAction].ApprovedSources.Add("'self'");
options[CspDirective.FormAction].ApprovedSources.Add("https://localhost:44321");
options[CspDirective.FormAction].ApprovedSources.Add("https://*.test.com");
options[CspDirective.FormAction].ApprovedSources.Add("https://*.testdev.com");
I have a JavaScript file which has the content as,
window.onload = function () {
document.getElementById("callbackForm").submit();
}
and the html
<form id="callbackForm" method="POST" action="#ViewBag.CallbackUrl">
but when I run the application it says because it violates the following Content Security Policy directive: "form-action 'self' 'self' https://localhost:44321 https://*.test.com https://*.testdev.com".