asp.net-mvc-5web-configcontent-security-policyumbraco6nwebsec

Applying different Content Security Policies to different directories with NWebSec

I've got an ASP.NET MVC website with a heavily customised Umbraco 6 backend as the site's CMS.

I've been upgrading the content security policy (CSP) headers all across the site, which I am doing by use of NWebsec, and the website now happily uses CSP 3 strict-dynamic and there are nonces on every script tag, and everything works fine.

Unfortunately, I haven't been able to apply the same changes to the Umbraco admin area, so most of that does not work at all.

So what I want to do is apply the strict CSP 3 policy to the public-accessible parts of the website, and apply a relaxed CSP policy to the locked-down admin area.

The Umbraco admin area sits under a subdirectory /umbraco/ so I thought the best way to implement this would be to use two different location elements in the site's Web.config file.

So my Web.config now looks something like:

<!-- Specific CSP for Umbraco -->
<location path="~/umbraco">
  <nwebsec>
  ...
  <content-Security-Policy enabled="true">
    ...
    <script-src self="true" unsafeInline="true" unsafeEval="true">
      <add source="data:" />
    </script-src>
    ...
  </content-Security-Policy>
  </nwebsec>
</location>

<!-- default CSP for everything else -->
<location path=".">
  <nwebsec>
  ...
  <content-Security-Policy enabled="true">
    ...
    <script-src self="true" unsafeInline="true" unsafeEval="false" strictDynamic="true">
    </script-src>
    ...
  </content-Security-Policy>
  </nwebsec>
</location>

But this applies the default config to the whole site.

I'm not sure whether I've got the config wrong, or maybe NWebSec doesn't support what I'm trying to do, or there's some specific issue with redirects or something else.

Solution

  • Fixed by creating a separate Web.config in the /umbraco subdirectory.

    Main Web.config:

    <location path="." allowOverride="true"> <nwebsec> ... <content-Security-Policy enabled="true"> ... <script-src self="false" unsafeInline="true" unsafeEval="false" strictDynamic="true"> <add source="www.example.com" /> </script-src> ... </content-Security-Policy> </nwebsec> </location>

    Web.config in the /umbraco subdirectory:

    <location path="." allowOverride="true"> <nwebsec> ... <content-Security-Policy enabled="true"> ... <script-src self="true" unsafeInline="true" unsafeEval="true" strictDynamic="false"> <clear/> <add source="www.other-example.com" /> </script-src> ... </content-Security-Policy> </nwebsec> </location>

    The config in the subdirectory overrides the main Web.config - so strictDynamic="false" switches off use of those CSP3 nonces, and the clear element removes all pre-existing elements in the collection so a new set of domains can be used.