Issue is related to NWebSec content security headers -
If I use more wildcard tags in my NWebSec CSP code then it's working but If I use exact URLs which I needed in my application then is giving an issue in my sign-in page "Post/ applicationurls.com/sigin-oidc" 502 Bad Gateway.
I think this issue is related to response header size in the asp.net core. I've tried a few codes to increase response header size in .net core but nothing helps.
Below is my working code with more wildcard tags - but I need to use some of the URLs exactly and need to add a few more.
internal static class NWebSecExtensions
{
internal static void AddNWebSecSecurity(this IApplicationBuilder app, IConfiguration config)
{
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseXfo(xfo => xfo.SameOrigin());
app.UseRedirectValidation(options =>
{
options.AllowSameHostRedirectsToHttps()
.AllowedDestinations("https://www.google.com/accounts/", config["NWebSec:TestCheckInstanceDomain"]);
}); //Register this earlier if there's middleware that might redirect.
app.UseCsp(options => options
.DefaultSources(s => s.Self())
.ScriptSources(s =>
{
s.Self().UnsafeEval().UnsafeInline()
.CustomSources("https://www.google-analytics.com", "https://www.googletagmanager.com",
"https://xyz.test.net", "https://*.testnetwork.net", "https://xyz.cdntestwork.net");
})
.StyleSources(s =>
{
s.Self().UnsafeInline()
.CustomSources("https://xyz.test.net", "https://*.testnetwork.net");
})
.ImageSources(s =>
{
s.Self().CustomSources("data:", "https:");
})
.ObjectSources(s => s.Self())
.ConnectSources(s =>
{
s.Self()
.CustomSources($"wss://{config["NWebSec:MyTestCAppServiceDomain"]}",
$"https://{config["NWebSec:TestWebStrMediaDomain"]}",
$"https://{config["NWebSec:TestStorageAccountDomain"]}",
"https://www.google-analytics.com", "https://web.mynetwork.com/",
"https://*.testnetwork.com", "https://*.dnstestcrt.net",
"https://*.testnetwork.net", "https://*.oceantest.net");
})
.MediaSources(s =>
{
s.Self()
.CustomSources(
$"https://{config["NWebSec:TestWebStrMediaDomain"]}",
"blob:", "https://*.testnetworkcdn.com", "https://*.dnstestcrt.net",
"https://*.testnetwork.com",
"https://*.elenewtd.net", "https://*.elenewtd.net", "https://*.oceanfms.net",
"https://*.oceantest.net");
})
.FrameSources(s => { s.Self().CustomSources("https://*.testnetwork.net/"); })
.ChildSources(s => { s.Self().CustomSources("blob:"); })
.FontSources(s => { s.Self().CustomSources("https://xyz.test.net", "data:"); }));
}
}
If I add below actually needed tags then it starts giving me 502 Bad Gateways Issue.
Content-security-policy:
default-src https://*.testsrcwo.net 'self';
script-src https://*.testsrcwo.net 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://www.googletagmanager.com
https://xyz.test.net https://swebce.zoom.us https://runers.testnetwork.net https://opr.krcdnt.net;
object-src https://*.testsrcwo.net 'self';
style-src https://*.testsrcwo.net 'self' 'unsafe-inline' https://xyz.test.net https://troep.trotr.us https://runers.testnetwork.net;
img-src https://*.testsrcwo.net 'self' data: https://dashboard.mynetwork.org https://www.google-analytics.com https://xyz.test.net
https://web.mynetwork.com https://starttrik.testnetwork.com https://cf-images.tre-tei-1.lean.dnsjunto.net https://runers.testnetwork.net https://*.dnsjunto.net https://plunt.ghandukans.com;
run-src https://*.testsrcwo.net 'self' https://lean-ghan-dukans-treehills-shabs-ams-proxy-func.testwebsites.net https://leantreehillsshabsrun-euno.jumkoo.run.test.net https://shada-leantreehillsshabsrun-euno.jumkoo.run.test.net blob: https://*.testnetworkcdn.com https://*.dnsjunto.net https://*.run.testnetwork.com https://*.elewend.net https://*.elewend.net https://*.treetop.net https://*.oceapto.net https://leantreehillsshabsrun.keydelivery.neartoyou.run.test.net;
frame-src https://*.testsrcwo.net 'self' https://runers.testnetwork.net;
font-src https://*.testsrcwo.net 'self' https://xyz.test.net data:;
connect-src https://*.testsrcwo.net 'self' wss://lean-ghan-dukans-testplt-vart-kaptry.testwebsites.net https://leantreehillsshabsrun.keydelivery.neartoyou.run.test.net https://leantreehillsshabsrun-euno.jumkoo.run.test.net https://leanghandukanstreehillseve.blob.roit.windows.net https://shada-leantreehillsshabsrun-euno.jumkoo.run.test.net https://www.google-analytics.com https://web.mynetwork.com https://edge.api.testnetwork.com https://manifest.lean.dnsjunto.net https://runers.testnetwork.net https://bcbolt446c5271-a.oceapto.net https://lean-ghan-dukans-treehills-shabs-tro-proxy-func.testmywebsites.net;
child-src https://*.testsrcwo.net 'self' blob:; report-uri /WebRreirutie.axd?cspReport=true;
Please find my startup class, program file, and web-config
Startup.cs
ConfigureService Method code -
Configure Method code -
Program.cs
WebConfig
Related
I added CSP to my nuxt website. it worked until i added addMeta:true to the CSP object.
now I'm getting the error :
text error :
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'sha256-pbUsaX0N1YAAThWC12JxlsJzrk+Kb8u0nzG7RegV+Tw='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I have checked the CSP using : https://csp-evaluator.withgoogle.com/
it has no issue.
The output :
default-src 'self' *.tawk.to MYHOST;
img-src https: *.google-analytics.com *.w3.org MYHOST data:;
worker-src 'self' blob: MYHOST *.tawk.to;
style-src 'self' 'unsafe-inline' MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to *.jsdelivr.net;
script-src-elem 'self' 'unsafe-inline' MYHOST *.google-analytics.com *.tawk.to *.googletagmanager.com;
font-src 'self' MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to data:;
connect-src https: wss: MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to;
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri MYHOST;
script-src 'sha256-QmdMW6/6GRLx7y5TPpTuUM6roj/PoGrZMBytBPICuLo=' 'self'
any idea what causes this error? and do I need the meta tag or its not necessary?
It seems like you might have deployed multiple CSPs, one as a meta tag, possibly another as a response header. Adding another CSP can only make it stricter. You should check if there is a CSP in a response header and how it is configured.
If you proceed with your policy in meta, you should expand the error message to see the URLs in question. Some are likely the same domain, for which you should add 'self' to script-src.
Based on the current information, there is not much more advice that can be given.
I'm using google drive to upload my images. So my images' url in my website like that;
<img src="https://drive.google.com/uc?export=view&id=1SJcEZndPKl7DxU1K8Iit" />
In my local it's working well but in my vps not working. I'm getting this error;
Refused to load the image 'https://drive.google.com/uc?export=view&id=1SJcEZndPKl7DxU1K8Iit' because it violates the following Content Security Policy directive: "img-src 'self' data:".
I research it and try this code in dist/index.html
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';">
But still I'm getting same error event when I write that to head, I'm starting to get new error;
Refused to load the font 'data:application/x-font-woff2;charset=utf-8;base64,d09GMgABAAAAAAz0AAsAAAAAGOAAAAymAAEAAAAAA...' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'unsafe-eval'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback. Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme 'data:' must be added explicitly.
I try this in my backend;
app.use(function (req, res, next) {
res.setHeader(
'Content-Security-Policy-Report-Only', "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'"
);
next();
});
But still not working. What sould I do?
Edit:
I do that;
<meta http-equiv="Content-Security-Policy" content="default-src *;img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *; font-src 'self' data:">
And my second error (Refused to load the font) solved bu still I'm getting same and main error.
I have a Blazor WebAssembly hosted in ASP.NET Core. For security, I added the following headers:
app.Use((context, next) =>
{
context.Response.GetTypedHeaders().CacheControl =
new Microsoft.Net.Http.Headers.CacheControlHeaderValue()
{
MustRevalidate = true,
NoCache = true,
NoStore = true,
};
string oidcAuthority = "https://myidsrv";
string mainUrl = "https://myurl;
#if DEBUG
mainUrl = https://localhost:7241;
#endif
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("Content-Security-Policy",
$"default-src 'self' {mainUrl} {oidcAuthority} " +
"https://code.cdn.mozilla.net" +
"https://dc.services.visualstudio.com" +
"'unsafe-inline' 'unsafe-eval'; " +
$"script-src 'unsafe-inline' 'unsafe-eval' {mainUrl}; " +
$"connect-src 'self' {oidcAuthority} https://code.cdn.mozilla.net;" +
$"img-src 'self' data {mainUrl}; " +
$"style-src 'unsafe-inline' {mainUrl} " +
"https://code.cdn.mozilla.net" +
";" +
"base-uri 'self'; " +
"form-action 'self'; " +
"frame-ancestors 'self';");
context.Response.Headers.Add("Referrer-Policy", "same-origin");
context.Response.Headers.Add("Permissions-Policy",
"geolocation=(), microphone=()");
context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Add("SameSite", "Strict");
return next.Invoke();
});
When I inspect the website, I see that the index.html is not loaded because it doesn't appear in the frame ancestors.
Although this error, the webapplication is working on Windows but not on iOS.
How can I fix it?
I just logged into your website and found a bug with this image.
The error you are currently encountering should be a problem with the usage of CSP.
Solution
image
img-src 'self' {mainUrl} data:;
html
script-src 'self' {mainUrl} 'unsafe-inline' 'unsafe-eval';
After entering card details and proceeding for payment, a small blank pop up from stripe appears and i get an error in the console.
Refused to load the image 'https://hooks.stripe.com/img/favicon.png' because it violates the following Content Security Policy directive: "img-src data: https://q.stripe.com".
Here is the screenshot of the error
error
I have also set the content security policies as per stripe but still the same error again and again.
app.post('/payments/create', async (request, response) => {
response.set("Content-Security-Policy", `script-src 'self' https://js.stripe.com https://checkout.stripe.com; style-src 'self' checkout.stripe.com; frame-src 'self' *.stripe.com *.stripe.network; img-src data: 'self' https://*.stripe.com; connect-src 'self' *.stripe.com;`);
const total = request.query.total;
const paymentIntent = await stripe.paymentIntents.create({
amount: total, //subunits of the currency
currency: "usd",
});
response.status(201).send({
clientSecret: paymentIntent.client_secret,
}); // OK and Created something
})
The error says that your img-src directive is "img-src data: https://q.stripe.com" while your policy definition says it is "img-src data: 'self' https://*.stripe.com;". You should check if there are multiple CSPs defined in response headers or meta tags. Content will need to pass all policies, and in this case there is likely another policy causing it to break. You might have tried to implement CSP in another way first and forgot to remove it.
When i try authenticate, the redirect URL for it has a response 400:
api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1
GET
https://api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx
400 () /oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1 Refused
to apply inline style because it violates the following Content
Security Policy directive: "style-src https://abs.twimg.com
https://abs-0.twimg.com". Either the 'unsafe-inline' keyword, a hash
('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce
('nonce-...') is required to enable inline execution.
In my page "connect twitter" has a meta CSP:
<meta http-equiv="Content-Security-Policy" content="default-src *;
style-src 'self' http://* https://* 'unsafe-inline'; script-src 'self'
http://* 'unsafe-inline' 'unsafe-eval'; img-src * data:" />
Whats going wrong?
That's complaining about Twitter's CSP directive and not your own.
You can see their directive here, and it contains the following:
style-src https://abs.twimg.com https://abs-0.twimg.com
Which directly matches the error message.
Why Twitter are apparently blocking their own api call I don't know.
Btw on a separate note I think your syntax is wrong as don't think https://* is allowed, and it should be:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http: https: 'unsafe-inline'; script-src 'self' http: 'unsafe-inline' 'unsafe-eval'; img-src * data:" />