AI OnAI Off
i have disabled CSP on everything under /episerver and /Modules :(
but i still have the problem of the quicknavigator that contains the following javascript: href="javascript:void(0)" :(
i am not sure what to do about that
If you set up the CSP headers in a globally assigned ActionFilterAttribute, you can interrogate the ActionExecutingContext to determine if the request is a controller for a PageData object and whether it is a child request or not.
In the example below: all PageControllers have a currentContent parameter for the PageData Object. Block Controllers will always render with filterContext.IsChildAction being true. I check both values to ensure the CSP headers are only applied on content pages.
public class ContentSecurityPolicyActionFilterAttribute : ActionFilterAttribute, IActionFilter
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
base.OnActionExecuting(filterContext);
if (filterContext.ActionParameters.Keys.Contains("currentContent") && !filterContext.IsChildAction)
{
var globalSettings = ServiceLocator.Current.GetInstance<GlobalSettings>();
if (!string.IsNullOrWhiteSpace(globalSettings?.ContentSecurityPolicy))
{
var csp = globalSettings.ContentSecurityPolicy;
filterContext.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
}
}
}
This is not as much of a bug, but rather a question of why.
When adding a CSP to my Episerver Site, i can configure everything to work safly and securly on the front end.
But the second one tries to load /episerver/cms everything breaks cause the csp blocks dojo.js attempts to run a eval() function aswell as the inline scripts that is put into edit mode.
My question is this:
Are there any plans to fix this as far as we are aware of? Cause running episerver with a csp that has to include both 'unsafe-inline' and 'unsafe-eval' feels rather bad.
Best Regards
Pål-j