Update panel not working with Content-Security-Policy in webconfig
Question
Answers
-
User-330142929 posted
Hi O.Masnournia,
As far as I know, websites have the same restriction for security. General speaking, website code is not allowed to access resources in other domains, and CSP tells the client (browser) to allow loading and not allowing loaded resources. The AJAX object XMLHttpRequest has the same restrictions. So Updatepanel should meet CSP.
In fact, we need to ensure that the returned html response has a CSP Header. And then Browser (requires some version support) will execute CSP.
Here is one of the most common ways to use CSP.
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval' https://d2i2wahzwrm1n5.cloudfront.net ; style-src 'self' 'unsafe-inline' https://d35islomi5rx1v.cloudfront.net ; font-src 'self' https://d35islomi5rx1v.cloudfront.net 'data:'; img-src 'self' https://d35islomi5rx1v.cloudfront.net 'data:'" />I have made a demo, wish it is useful to you.
Html.
<!DOCTYPE html> <html lang="en"> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ; " /> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Document</title> <script src="https://cdn.bootcss.com/jquery/3.3.1/jquery.js"></script> <script> $(function () { alert("Hello world"); }) </script> </head> <body> <div> </div> </body> </html>How it works.
Please refer to the following link.
https://rehansaeed.com/content-security-policy-for-asp-net-mvc/
Feel free to let me know if you have any question.
Best Regards,
Abraham
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
