This is not as much of a bug, but rather a question of why. When adding a CSP to my Episerver Site, i can configure everything to work safly and securly on the front end.But the second one tries to load /episerver/cms everything breaks cause the csp blocks dojo.js attempts to run a eval() function aswell as the inline scripts that is put into edit mode. My question is this: Are there any plans to fix this as far as we are aware of? Cause running episerver with a csp that has to include both 'unsafe-inline' and 'unsafe-eval' feels rather bad.Best Regards Pål-j
i have disabled CSP on everything under /episerver and /Modules :(
i am not sure what to do about that
If you set up the CSP headers in a globally assigned ActionFilterAttribute, you can interrogate the ActionExecutingContext to determine if the request is a controller for a PageData object and whether it is a child request or not.
In the example below: all PageControllers have a currentContent parameter for the PageData Object. Block Controllers will always render with filterContext.IsChildAction being true. I check both values to ensure the CSP headers are only applied on content pages.
public class ContentSecurityPolicyActionFilterAttribute : ActionFilterAttribute, IActionFilter
public override void OnActionExecuting(ActionExecutingContext filterContext)
if (filterContext.ActionParameters.Keys.Contains("currentContent") && !filterContext.IsChildAction)
var globalSettings = ServiceLocator.Current.GetInstance<GlobalSettings>();
var csp = globalSettings.ContentSecurityPolicy;