2 anos atrás · bbaf251525
--- a/IdentityServer/Middleware/CSPMiddleware.cs
+++ b/IdentityServer/Middleware/CSPMiddleware.cs
@@ -34,11 +34,20 @@ namespace Teknik.IdentityServer.Middleware
                    allowedDomain = host;
                }

                var csp = "default-src 'self';" +
                         "img-src * 'self' data: https:;" +
                         $"style-src 'self' {allowedDomain};" +
                         $"font-src 'self' {allowedDomain};" +
                         $"script-src 'self' 'unsafe-inline' {allowedDomain};";
                var csp = string.Format(
                    "default-src 'none'; " +
                    "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
                    "style-src 'unsafe-inline' {0}; " +
                    "img-src data: *; " +
                    "font-src data: {0}; " +
                    "connect-src wss: blob: data: {0}; " +
                    "media-src *; " +
                    "worker-src blob: mediastream: {0}; " +
                    "form-action {0}; " +
                    "base-uri {0}; " +
                    "frame-ancestors {0};",
                    allowedDomain,
                    httpContext.Items[Constants.NONCE_KEY]);

                if (!httpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
                {
--- a/IdentityServer/Views/Shared/_Layout.cshtml
+++ b/IdentityServer/Views/Shared/_Layout.cshtml
@@ -45,7 +45,6 @@
        <link href="~/images/favicon.ico" rel="apple-touch-icon-precomposed" />
        
        <bundle src="css/common.min.css" append-version="true"></bundle>
        <bundle src="js/common.min.js" append-version="true"></bundle>
 </head>
 <body data-twttr-rendered="true">
    <div id="wrap">
--- a/Teknik/Middleware/CSPMiddleware.cs
+++ b/Teknik/Middleware/CSPMiddleware.cs
@@ -42,7 +42,20 @@ namespace Teknik.Middleware
                    allowedDomain += " " + config.CdnHost;
                }                

                httpContext.Response.Headers.Append("Content-Security-Policy", string.Format("default-src 'none'; script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; style-src 'unsafe-inline' {0}; img-src data: *; font-src data: {0}; connect-src wss: blob: data: {0}; media-src *; worker-src blob: mediastream: {0}; form-action {0}; base-uri {0}; frame-ancestors {0};", allowedDomain, httpContext.Items[Constants.NONCE_KEY]));
                httpContext.Response.Headers.Append("Content-Security-Policy", string.Format(
                    "default-src 'none'; " +
                    "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
                    "style-src 'unsafe-inline' {0}; " +
                    "img-src data: *; " +
                    "font-src data: {0}; " +
                    "connect-src wss: blob: data: {0}; " +
                    "media-src *; " +
                    "worker-src blob: mediastream: {0}; " +
                    "form-action {0}; " +
                    "base-uri {0}; " +
                    "frame-ancestors {0};", 
                    allowedDomain, 
                    httpContext.Items[Constants.NONCE_KEY]));
            }

            return _next(httpContext);
--- a/Teknik/Startup.cs
+++ b/Teknik/Startup.cs
@@ -314,6 +314,5 @@ namespace Teknik
                context.Response.StatusCode = 403;
            context.HandleResponse();
        }

    }
 }