Made CSP middleware the same for both web services

IdentityServer/Middleware/CSPMiddleware.cs

@@ -34,11 +34,20 @@ namespace Teknik.IdentityServer.Middleware
                     allowedDomain = host;
                 }
 
-                var csp = "default-src 'self';" +
-                         "img-src * 'self' data: https:;" +
-                         $"style-src 'self' {allowedDomain};" +
-                         $"font-src 'self' {allowedDomain};" +
-                         $"script-src 'self' 'unsafe-inline' {allowedDomain};";
+                var csp = string.Format(
+                    "default-src 'none'; " +
+                    "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
+                    "style-src 'unsafe-inline' {0}; " +
+                    "img-src data: *; " +
+                    "font-src data: {0}; " +
+                    "connect-src wss: blob: data: {0}; " +
+                    "media-src *; " +
+                    "worker-src blob: mediastream: {0}; " +
+                    "form-action {0}; " +
+                    "base-uri {0}; " +
+                    "frame-ancestors {0};",
+                    allowedDomain,
+                    httpContext.Items[Constants.NONCE_KEY]);
 
                 if (!httpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
                 {

IdentityServer/Views/Shared/_Layout.cshtml

@@ -45,7 +45,6 @@
         <link href="~/images/favicon.ico" rel="apple-touch-icon-precomposed" />
         
         <bundle src="css/common.min.css" append-version="true"></bundle>
-        <bundle src="js/common.min.js" append-version="true"></bundle>
 </head>
 <body data-twttr-rendered="true">
     <div id="wrap">

Teknik/Middleware/CSPMiddleware.cs

@@ -42,7 +42,20 @@ namespace Teknik.Middleware
                     allowedDomain += " " + config.CdnHost;
                 }                
 
-                httpContext.Response.Headers.Append("Content-Security-Policy", string.Format("default-src 'none'; script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; style-src 'unsafe-inline' {0}; img-src data: *; font-src data: {0}; connect-src wss: blob: data: {0}; media-src *; worker-src blob: mediastream: {0}; form-action {0}; base-uri {0}; frame-ancestors {0};", allowedDomain, httpContext.Items[Constants.NONCE_KEY]));
+                httpContext.Response.Headers.Append("Content-Security-Policy", string.Format(
+                    "default-src 'none'; " +
+                    "script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
+                    "style-src 'unsafe-inline' {0}; " +
+                    "img-src data: *; " +
+                    "font-src data: {0}; " +
+                    "connect-src wss: blob: data: {0}; " +
+                    "media-src *; " +
+                    "worker-src blob: mediastream: {0}; " +
+                    "form-action {0}; " +
+                    "base-uri {0}; " +
+                    "frame-ancestors {0};", 
+                    allowedDomain, 
+                    httpContext.Items[Constants.NONCE_KEY]));
             }
 
             return _next(httpContext);

Teknik/Startup.cs

@@ -314,6 +314,5 @@ namespace Teknik
                 context.Response.StatusCode = 403;
             context.HandleResponse();
         }
-
     }
 }