asp.net-coreblazorcontent-security-policy
Refused to display index.html because an ancestor violates the following Content Security Policy directive
I have a Blazor WebAssembly hosted in ASP.NET Core. For security, I added the following headers:
app.Use((context, next) =>
{
context.Response.GetTypedHeaders().CacheControl =
new Microsoft.Net.Http.Headers.CacheControlHeaderValue()
{
MustRevalidate = true,
NoCache = true,
NoStore = true,
};
string oidcAuthority = "https://myidsrv";
string mainUrl = "https://myurl;
#if DEBUG
mainUrl = https://localhost:7241;
#endif
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("Content-Security-Policy",
$"default-src 'self' {mainUrl} {oidcAuthority} " +
"https://code.cdn.mozilla.net" +
"https://dc.services.visualstudio.com" +
"'unsafe-inline' 'unsafe-eval'; " +
$"script-src 'unsafe-inline' 'unsafe-eval' {mainUrl}; " +
$"connect-src 'self' {oidcAuthority} https://code.cdn.mozilla.net;" +
$"img-src 'self' data {mainUrl}; " +
$"style-src 'unsafe-inline' {mainUrl} " +
"https://code.cdn.mozilla.net" +
";" +
"base-uri 'self'; " +
"form-action 'self'; " +
"frame-ancestors 'self';");
context.Response.Headers.Add("Referrer-Policy", "same-origin");
context.Response.Headers.Add("Permissions-Policy",
"geolocation=(), microphone=()");
context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Add("SameSite", "Strict");
return next.Invoke();
});
When I inspect the website, I see that the index.html is not loaded because it doesn't appear in the frame ancestors.
Although this error, the webapplication is working on Windows but not on iOS.
How can I fix it?
Solution
I just logged into your website and found a bug with this image.
The error you are currently encountering should be a problem with the usage of CSP.
Solution
image
img-src 'self' {mainUrl} data:;
html
script-src 'self' {mainUrl} 'unsafe-inline' 'unsafe-eval';
- Redis cache in .NET 8 is not taking effect?
- Use React Authentication with .NET backend?
- List users with roles in a razor page using asp.net 6.0 Identity
- Correct handling of formless AJAX POST and AntiForgery in C# Razor Pages
- how to load partial view in ajax in asp.net core
- Entity Framework Core multiple connection strings on same DBContext?
- error A value of type 'int' cannot be used as a default parameter because there are no standard conversions to type
- What is this string inside Blazor components HTML tag
- Blazor Server: Breadcrumb change using JavaScript persists across pages
- .net blazor new debug profile lacks .css .js why?
- How to get results from a Postgresql function using EF Core?
- ASP Net identity two factor authentication last expired token is getting validated successfully
- Why string property must be declared as nullable string in Entity Framework Core when corresponding database table column is nullable
- HTTP Error 500.30 - ASP.NET Core app failed to start(abp-commercial)
- How to Configure Swagger to Display Different Model Classes Based on Content Type in .NET API
- How to register multiple implementations of the same interface with different dependencies
- How to remove UserName field from asp.net core 3 Identity
- Difference between BadRequestResult and BadRequestObjectResult
- Where do custom metrics I did not set come from
- How to force Visual Studio to re-create the SSL certificate for a .NET Core Web Application running Kestrel?
- How to map a user attribute to a standard OIDC claim in keycloak
- How to mock service injected by HttpContext.RequestServices.GetService<> in derived controller?
- ASP. NET Core 8: Error HTTP 500 and returnurl=%2F in the URL
- Asp Core, How to use PagingList<T>.CreateAsync() with a viewModel?
- Why is Application Insights showing no events
- ASP.NET Core - error 404.15 after adding authorization services
- Why am I getting this Content Policy error?
- SignalR hub connection StateChanged not working client
- Why is this API considered having ambiguous method/path combination when the names and routes are different?
- How to use "TypedHttpClientFactory" with "AddHttpMessageHandler"?