Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more

AI OnAI Off

Episerver Cms and Content Security Policy Header

Pål-Jørgen Valdersnes
Pål-Jørgen Valdersnes
Vote:
 

This is not as much of a bug, but rather a question of why.
When adding a CSP to my Episerver Site, i can configure everything to work safly and securly on the front end.
But the second one tries to load /episerver/cms everything breaks cause the csp blocks dojo.js attempts to run a eval() function aswell as the inline scripts that is put into edit mode.

My question is this:
Are there any plans to fix this as far as we are aware of? Cause running episerver with a csp that has to include both 'unsafe-inline' and 'unsafe-eval' feels rather bad.

Best Regards
Pål-j

#199843
Dec 13, 2018 13:54
Lars Woetmann Pedersen
Lars Woetmann Pedersen
Vote:
 

i have disabled CSP on everything under /episerver and /Modules :(

but i still have the problem of the quicknavigator that contains the following javascript: href="javascript:void(0)" :(

i am not sure what to do about that

#200659
Jan 20, 2019 8:48
Mark Stott
Mark Stott
Vote:
 

If you set up the CSP headers in a globally assigned ActionFilterAttribute, you can interrogate the ActionExecutingContext to determine if the request is a controller for a PageData object and whether it is a child request or not.

In the example below: all PageControllers have a currentContent parameter for the PageData Object. Block Controllers will always render with filterContext.IsChildAction being true.  I check both values to ensure the CSP headers are only applied on content pages.

    public class ContentSecurityPolicyActionFilterAttribute : ActionFilterAttribute, IActionFilter
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            base.OnActionExecuting(filterContext);

            if (filterContext.ActionParameters.Keys.Contains("currentContent") && !filterContext.IsChildAction)
            {
                var globalSettings = ServiceLocator.Current.GetInstance<GlobalSettings>();

                if (!string.IsNullOrWhiteSpace(globalSettings?.ContentSecurityPolicy))
                {
                    var csp = globalSettings.ContentSecurityPolicy;
                    filterContext.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
                }
            }
        }
    }
#222906
May 13, 2020 15:28
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.