I am trying to configure this in an ASP.NET MVC application in the web.config as follows:
<nwebsec>
<httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
<securityHttpHeaders>
<content-Security-Policy-Report-Only enabled="true">
<default-src self="true">
<add source="https://static.mydomain.com" />
<add source="unsafe-inline" />
<add source="unsafe-eval" />
</default-src>
</content-Security-Policy-Report-Only>
</securityHttpHeaders>
</httpHeaderSecurityModule>
</nwebsec>
which means I end up with a header that looks as follows:
default-src 'self' https://static.mydomain.com unsafe-inline unsafe-eval
but this is still failing my page because inline scripts are not allowed. I am guessing I want my header to look like:
default-src 'self unsafe-inline unsafe-eval' https://static.ozcruising.com.au
So my question is how do I change my NWebSec configuration to allow inline scripts to be allowed from the page itself (same origin) as well as support serving content from https://static.mydomain.com?
Unsafe-inline is only relevant for script-src and style-src and unsafe-eval is only relevant for script-src. Thus these cannot be configured at the default-src level. You have to do it this way:
<default-src self="true">
<add source="https://static.mydomain.com" />
</default-src>
<script-src self="true" unsafeInline="true" unsafeEval="true">
<add source="https://static.mydomain.com" />
</script-src>
<style-src self="true" unsafeInline="true">
<add source="https://static.mydomain.com" />
</style-src>
You have to specify self and static.mydomain.com again in script-src and style-src because more specific *-src clears everything default-src had specified.