CODEWITHSUNDEEP
htmlgoogle-chromeasp-classiccontent-security-policyiis-8.5
Amit Kumar
Amit Kumar

Reputation: 85

Missing content security policy header - issue with chrome and firefox

I have to fix Missing Content Security Policy Header issue for a Classic ASP application. We have added the below in Web.config 

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Content-Security-Policy" value="default-src" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

Post change in IE the application is working, but in Mozilla and Chrome the application is not rendering properly (the css are not loading properly).

If I will add the same in particular asp page too(Response.AddHeader "Content-Security-Policy","default-src"), the same issue is happening.

Please advise.

Upvotes: 2

Views: 27813

Answers (1)

Stephen R
Stephen R

Reputation: 3897

You might want to better familiarize yourself with what CSP (Content Security Policy) does. It's actually a good idea to implement from a security standpoint.

Activating a policy without explicitly setting it (in this case "default-src") is the same as setting it to "none". So what your setting does...

<add name="Content-Security-Policy" value="default-src" />

...is tell the browser to not accept resources from any sources. You've said that the default permitted source for this page is "none". No linking images, no CSS, no scripts. You've turned it all off.

A better default may be: default-src self;

That will allow you to link to CSS and JS files on the same domain. Possibly add style-src self unsafe-inline;, but I would not recommend the same for script-src.

It totally depends on your site of course. If you're using inline <script> and <style> tags, look into CSP nonces -- they're pretty easy to use, and more secure than unsafe-inline. If your pages are littered with "onclick"s, you'll have to do some cleanup. (That type of coding has been discouraged for well over a decade, but you may be dealing with old code, as I do every day.)

Personally, I don't set it at the Server level. I set it in PHP, which allows flexibility if one particular page needs looser security for some reason (such as using Google Charts, which requires really loose CSP due to eval() statements.) Well, that and you can't use nonces at the Server level, as they have to be generated at the same time as the page.

Upvotes: 3

Related Questions