I have just applied a Content Security Policy to my Azure Web App in my development environment and it is working fine.
I can also upload it to my staging site on Azure and it runs fine there and the policy is correctly applied and then enforced by my browser. However, when I do a swap, I get the following error:
Cannot swap slots for site 'MySite' because the worker process in 'staging' slot aborted the warmup request. This may happen if site has IP Restriction or URL rewrite rules that block HTTP requests.
Here is the policy that I am applying (as defined in my web.config)
<add name="Content-Security-Policy"
value="default-src 'none';
script-src 'self' https: 'unsafe-inline' 'unsafe-eval';
style-src 'self' https: 'unsafe-inline';
img-src 'self' https: 'unsafe-inline' data: blob:;
connect-src 'self' https:;
font-src 'self' https:;
object-src 'none';
media-src 'self';
child-src 'self';
form-action 'self';
frame-ancestors 'none'"/>
What is the problem?
Azure doesn't like the carriage returns in the Content-Security-Policy value in the web.config.
If you examine the web.config using the App Service Editor (that is available through the Azure Portal) then you will see the carriage returns have been encoded and turned into


Creating the following invalid CSP which is why the swap is breaking:
default-src 'none';
 script-src 'self' https: 'unsafe-inline' 'unsafe-eval';
 style-src 'self' https: 'unsafe-inline';
 img-src 'self' https: 'unsafe-inline' data: blob:;
 connect-src 'self' https:; 
 font-src 'self' https:;
 object-src 'none';
 media-src 'self';
 child-src 'self';
 form-action 'self';
 frame-ancestors 'none'
In short, we need to enter our CSPs all on one line which reduces the readability but is required for Azure to swap.