Chrome ignoring CSP (Content Security Policy) affecting Browser Link on ASP.NET application using .NET Core
I am trying to get the browser link to work on a .net core asp.net application. Although I am setting the CSP properly (at least I think I am), Chrome seems to be using a default. Here is what I see in the console:
This is what I have in the shared layout used by all views:
This is the source rendered on the browser (Chrome) when pressing Ctrl+U:
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
Am I missing something here or is this a google Chrome issue? Maybe is a setting I am not aware of, but I've scoured the web and have not found a solution for this issue.
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
That's because your asp.net app publishes CSP via HTTP header (you can see it).
So you have 2 CSPs delivered: one via meta tag and second - via HTTP header. In this case both are applied consequentially and a strictest one does block.
Check web.config file for lines like:
<add name="Content-Security-Policy" value="default-src 'self'" />
<content-Security-Policy enabled="true">
Also check the NWebsec NuGet package settings - it can publish CSP header via web.config file, via middleware or via MVC attributes:
- NWebsec.AspNetCore.Mvc package provides configure CSP via MVC attributes.
- NWebsec.AspNetCore.Mvc.TagHelpers package includes Tag helpers to manage the script and style 'nonces'.
- NWebsec.AspNetCore.Middleware package includes OWIN CSP middleware.
You have to use meta tag or HTTP header to publish Content Security Policy, but not both at the same time.
- bootstrap modal+ajax+jquery+validation+.net core 2.0
- Run web service API on same or separate servers?
- Join Date and Time to DateTime in VB.NET
- The Id cannot be computed, since the navigation source 'values' cannot be resolved to a known entity set from model
- C# HttpClient's PostAsync fails when HttpRuntime's TargetFramework is set to 4.8
- Chargify how can get total transactions of between two dates?
- Dynamic property type based on value of another property
- Using tinyurl.com in a .Net application ... possible?
- Swagger different classes in different namespaces with same name don't work
- Reference to IExceptionHandler interface not being resolved from Microsoft.AspNetCore.Diagnostics
- Improve Performance of initial page load time with Blazor Webassembly
- OAuth2 WebApi Token Expiration
- IIS API - Create virtual directories?
- Cannot drop database because it is currently in use
- How do I find type of c# project from Visual Studio?
- Calling Javascript from a SSR Page Blazor .NET core
- Blazor webassembly pwa session storage not persisting after deployment to Azure
- How to determine whether an IP address is private?
- How to access ASP.NET Swagger API published in Docker?
- Identity Server 4 ASP.NET Quickstart 'refused connection'
- How to get a List of valid currencies from Stripe
- Strange behaviour of ViewState
- HttpResponse content with bad encoding
- Display bytes as images on an .aspx page
- Class in App_Code not accessible
- Accessing a Class that is NOT declared in App_Code in ASP.NET
- Classes residing in App_Code is not accessible
- Is it possible to use SignalR on a Node.js backend?
- What does "cannot be marshaled by the runtime marshaler" mean?
- Add a column to a gridview associated with an SQL data source [C#/ASP/Webform]