Chrome ignoring CSP (Content Security Policy) affecting Browser Link on ASP.NET application using .NET Core

Question

I am trying to get the browser link to work on a .net core asp.net application. Although I am setting the CSP properly (at least I think I am), Chrome seems to be using a default. Here is what I see in the console:

This is what I have in the shared layout used by all views:

This is the source rendered on the browser (Chrome) when pressing Ctrl+U:

The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;

Am I missing something here or is this a google Chrome issue? Maybe is a setting I am not aware of, but I've scoured the web and have not found a solution for this issue.

Answer 1

The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;

That's because your asp.net app publishes CSP via HTTP header (you can see it).

So you have 2 CSPs delivered: one via meta tag and second - via HTTP header. In this case both are applied consequentially and a strictest one does block.

Check web.config file for lines like:

<add name="Content-Security-Policy" value="default-src 'self'" />
<content-Security-Policy enabled="true">

Also check the NWebsec NuGet package settings - it can publish CSP header via web.config file, via middleware or via MVC attributes:

• NWebsec.AspNetCore.Mvc package provides configure CSP via MVC attributes.
• NWebsec.AspNetCore.Mvc.TagHelpers package includes Tag helpers to manage the script and style 'nonces'.
• NWebsec.AspNetCore.Middleware package includes OWIN CSP middleware.

You have to use meta tag or HTTP header to publish Content Security Policy, but not both at the same time.