Reputation: 173
Prevent inline JavaScript on Internet Explorer 11 using Content Security Policy
Is it possible prevent inline JavaScript on Internet Explorer 11 using CSP on ASP.NET WebForm? I know IE 11 does not support Content Security Policy Level 2 but it seen that support Level 1.0. I tried many way and there is not a clear answer out there. I tried:
- Response.AddHeader("X-Content-Security-Policy", "script-src 'none'");
- Response.AddHeader("X-Content-Security-Policy","script-src 'self'");
- Response.AddHeader("Content-Security-Policy", "script-src 'self'");
it's not working.
Thanks! Albert Torres
Upvotes: 2
Views: 3860
Answers (1)
Reputation: 33538
See here - IE 11 only has partial support.
Partial support in Internet Explorer 10-11 refers to the browser only supporting the
sandboxdirective by using theX-Content-Security-Policyheader
However, you could try this sandbox directive. Description here:
Enables a sandbox for the requested resource similar to the iframe sandbox attribute. The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked. You can keep the sandbox value empty to keep all restrictions in place
e.g.
X-Content-Security-Policy: sandbox
Upvotes: 1
Related Questions
- Content Security Policy self blocking inline
- Disabling javascript with javascript by injecting Content-Security-Policy
- Content Security Policy bypass
- Avoiding `script-src 'unsafe-inline'` with Content-Security-Policy and JavaScript
- Content Security Policy stops inline script execution, in spite of report-only mode
- Inline Javascript not loading on IE11
- Block javascript execution from css
- Why isn't this inline javascript blocked by content security policy?
- Why is inline script forbidden (Content Security Policy)?
- Is there a way to prevent ie7 from loading some inline javascript?