Chrome ignoring CSP (Content Security Policy) affecting Browser Link on ASP.NET application using .NET Core
I am trying to get the browser link to work on a .net core asp.net application. Although I am setting the CSP properly (at least I think I am), Chrome seems to be using a default. Here is what I see in the console:
This is what I have in the shared layout used by all views:
This is the source rendered on the browser (Chrome) when pressing Ctrl+U:
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
Am I missing something here or is this a google Chrome issue? Maybe is a setting I am not aware of, but I've scoured the web and have not found a solution for this issue.
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
That's because your asp.net app publishes CSP via HTTP header (you can see it).
So you have 2 CSPs delivered: one via meta tag and second - via HTTP header. In this case both are applied consequentially and a strictest one does block.
Check web.config file for lines like:
<add name="Content-Security-Policy" value="default-src 'self'" />
<content-Security-Policy enabled="true">
Also check the NWebsec NuGet package settings - it can publish CSP header via web.config file, via middleware or via MVC attributes:
- NWebsec.AspNetCore.Mvc package provides configure CSP via MVC attributes.
- NWebsec.AspNetCore.Mvc.TagHelpers package includes Tag helpers to manage the script and style 'nonces'.
- NWebsec.AspNetCore.Middleware package includes OWIN CSP middleware.
You have to use meta tag or HTTP header to publish Content Security Policy, but not both at the same time.
- What is the difference between SendAsync and SendMailAsync methods of SmtpClient?
- How to get the current logged in user ID in ASP.NET Core?
- Possible to Compile ASP.NET to Machine Code?
- How to unchecked RadioButton on ASP.NET/VB.NET
- How can I count a value of table records, using session variable?
- Facebook Graph API getting data when user not logged in
- Developing ASP.NET Facebook App Locally
- Use an assembly in an aspx page
- how to display none through code behind
- ASP.NET "special" tags
- Unable to utilize UrlHelper
- How do I avoid the status error after Http Headers sent?
- How do I loop through a PropertyCollection
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- Has an event handler already been added?
- td data is not coming in single line
- EF SaveChanges not saving and not throwing exception
- .Net test URL is valid?
- HtmlAgilityPack: How can I remove a tag from a node while I'm looping through the node collection?
- Unsupported Media Type http response when upload file using c# api.
- Parser Error Message: Could not load type 'sometype'
- A non-blocking socket operation could not be completed immediately
- How to attach a PDF generated using jsPDF to the mail using asp.net c#
- Automating finding compile errors in ASP.NET pages
- Compiling a 6GB site
- Is there C# compiler for Mac OS X?
- An error occured after adding the initial Migration while accessing the Microsoft.extension.hosting services
- Website in pure C#
- How do I interpret error codes from FrontPage Extensions?
- What is the use of Normalized Email & UserName in .NET core IdentityUser Model?