I have tried applying csp in the web.config file of a asp.net web-form project. However, I am getting unrecognized unsafe-inline error.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value=" 'unsafe-inline'" />.
I tried using default-src, safe, unsafe-eval in the value. all of them are throwing unrecognized errors.
Could you please provide me any resource to resolve this?
You see this error because specifying 'unsafe-inline'
without a directive is not a valid content security policy definition.
A valid one is made of one or more directives followed by a value, each separated with a semicolon.
The one in your question could look like below.
Notice the directive default-src
and its value 'unsafe-inline'
.
<add name="Content-Security-Policy" value="default-src 'unsafe-inline'" />
See this reference with an overview of directives and values.