@@ -34,11 +34,20 @@ namespace Teknik.IdentityServer.Middleware | |||
allowedDomain = host; | |||
} | |||
var csp = "default-src 'self';" + | |||
"img-src * 'self' data: https:;" + | |||
$"style-src 'self' {allowedDomain};" + | |||
$"font-src 'self' {allowedDomain};" + | |||
$"script-src 'self' 'unsafe-inline' {allowedDomain};"; | |||
var csp = string.Format( | |||
"default-src 'none'; " + | |||
"script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " + | |||
"style-src 'unsafe-inline' {0}; " + | |||
"img-src data: *; " + | |||
"font-src data: {0}; " + | |||
"connect-src wss: blob: data: {0}; " + | |||
"media-src *; " + | |||
"worker-src blob: mediastream: {0}; " + | |||
"form-action {0}; " + | |||
"base-uri {0}; " + | |||
"frame-ancestors {0};", | |||
allowedDomain, | |||
httpContext.Items[Constants.NONCE_KEY]); | |||
if (!httpContext.Response.Headers.ContainsKey("Content-Security-Policy")) | |||
{ |
@@ -45,7 +45,6 @@ | |||
<link href="~/images/favicon.ico" rel="apple-touch-icon-precomposed" /> | |||
<bundle src="css/common.min.css" append-version="true"></bundle> | |||
<bundle src="js/common.min.js" append-version="true"></bundle> | |||
</head> | |||
<body data-twttr-rendered="true"> | |||
<div id="wrap"> |
@@ -42,7 +42,20 @@ namespace Teknik.Middleware | |||
allowedDomain += " " + config.CdnHost; | |||
} | |||
httpContext.Response.Headers.Append("Content-Security-Policy", string.Format("default-src 'none'; script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; style-src 'unsafe-inline' {0}; img-src data: *; font-src data: {0}; connect-src wss: blob: data: {0}; media-src *; worker-src blob: mediastream: {0}; form-action {0}; base-uri {0}; frame-ancestors {0};", allowedDomain, httpContext.Items[Constants.NONCE_KEY])); | |||
httpContext.Response.Headers.Append("Content-Security-Policy", string.Format( | |||
"default-src 'none'; " + | |||
"script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " + | |||
"style-src 'unsafe-inline' {0}; " + | |||
"img-src data: *; " + | |||
"font-src data: {0}; " + | |||
"connect-src wss: blob: data: {0}; " + | |||
"media-src *; " + | |||
"worker-src blob: mediastream: {0}; " + | |||
"form-action {0}; " + | |||
"base-uri {0}; " + | |||
"frame-ancestors {0};", | |||
allowedDomain, | |||
httpContext.Items[Constants.NONCE_KEY])); | |||
} | |||
return _next(httpContext); |
@@ -314,6 +314,5 @@ namespace Teknik | |||
context.Response.StatusCode = 403; | |||
context.HandleResponse(); | |||
} | |||
} | |||
} |