Missing content security policy header - issue with chrome and firefox

html google-chrome asp-classic content-security-policy iis-8.5

12,003

You might want to better familiarize yourself with what CSP (Content Security Policy) does. It's actually a good idea to implement from a security standpoint.

Activating a policy without explicitly setting it (in this case "default-src") is the same as setting it to "none". So what your setting does...

<add name="Content-Security-Policy" value="default-src" />

...is tell the browser to not accept resources from any sources. You've said that the default permitted source for this page is "none". No linking images, no CSS, no scripts. You've turned it all off.

A better default may be: default-src self;

That will allow you to link to CSS and JS files on the same domain. Possibly add style-src self unsafe-inline;, but I would not recommend the same for script-src.

It totally depends on your site of course. If you're using inline <script> and <style> tags, look into CSP nonces -- they're pretty easy to use, and more secure than unsafe-inline. If your pages are littered with "onclick"s, you'll have to do some cleanup. (That type of coding has been discouraged for well over a decade, but you may be dealing with old code, as I do every day.)

Personally, I don't set it at the Server level. I set it in PHP, which allows flexibility if one particular page needs looser security for some reason (such as using Google Charts, which requires really loose CSP due to eval() statements.) Well, that and you can't use nonces at the Server level, as they have to be generated at the same time as the page.

12,003

Amit Kumar

Updated on May 25, 2022

Comments

Amit Kumar almost 2 years
I have to fix Missing Content Security Policy Header issue for a Classic ASP application. We have added the below in Web.config
```
<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Content-Security-Policy" value="default-src" />
        </customHeaders>
    </httpProtocol>
</system.webServer>
```
Post change in IE the application is working, but in Mozilla and Chrome the application is not rendering properly (the css are not loading properly).

If I will add the same in particular asp page too(Response.AddHeader "Content-Security-Policy","default-src"), the same issue is happening.

Please advise.
- Adam McGurk over 6 years
  
  Couldn't you just pass it as a meta tag in your HTML head?
- Amit Kumar over 6 years
  
  @AdamMcGurk In google developer site I found this - The meta tag CSPs preferred delivery mechanism is an HTTP header. It can be useful, however, to set a policy on a page directly in the markup. Do that using a <meta> tag with an http-equiv attribute: <meta http-equiv="Content-Security-Policy" content="default-src cdn.example.net; child-src 'none'; object-src 'none'"> This can't be used for frame-ancestors, report-uri, or sandbox. And my application uses iframes. So i think its not possible to use meta tag for me.
- Adam McGurk over 6 years
  
  Well if your application uses iFrames, wouldn't that render this http header useless? Also, can you give us more information on the application?
Stephen R almost 6 years

A very nice PHP library for working with CSP: github.com/paragonie/csp-builder