mirror of
https://git.teknik.io/Teknikode/Teknik.git
synced 2023-08-02 14:16:22 +02:00
Made CSP middleware the same for both web services
This commit is contained in:
parent
1f3d895a1c
commit
bbaf251525
@ -34,11 +34,20 @@ namespace Teknik.IdentityServer.Middleware
|
||||
allowedDomain = host;
|
||||
}
|
||||
|
||||
var csp = "default-src 'self';" +
|
||||
"img-src * 'self' data: https:;" +
|
||||
$"style-src 'self' {allowedDomain};" +
|
||||
$"font-src 'self' {allowedDomain};" +
|
||||
$"script-src 'self' 'unsafe-inline' {allowedDomain};";
|
||||
var csp = string.Format(
|
||||
"default-src 'none'; " +
|
||||
"script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
|
||||
"style-src 'unsafe-inline' {0}; " +
|
||||
"img-src data: *; " +
|
||||
"font-src data: {0}; " +
|
||||
"connect-src wss: blob: data: {0}; " +
|
||||
"media-src *; " +
|
||||
"worker-src blob: mediastream: {0}; " +
|
||||
"form-action {0}; " +
|
||||
"base-uri {0}; " +
|
||||
"frame-ancestors {0};",
|
||||
allowedDomain,
|
||||
httpContext.Items[Constants.NONCE_KEY]);
|
||||
|
||||
if (!httpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
|
||||
{
|
||||
|
@ -45,7 +45,6 @@
|
||||
<link href="~/images/favicon.ico" rel="apple-touch-icon-precomposed" />
|
||||
|
||||
<bundle src="css/common.min.css" append-version="true"></bundle>
|
||||
<bundle src="js/common.min.js" append-version="true"></bundle>
|
||||
</head>
|
||||
<body data-twttr-rendered="true">
|
||||
<div id="wrap">
|
||||
|
@ -42,7 +42,20 @@ namespace Teknik.Middleware
|
||||
allowedDomain += " " + config.CdnHost;
|
||||
}
|
||||
|
||||
httpContext.Response.Headers.Append("Content-Security-Policy", string.Format("default-src 'none'; script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; style-src 'unsafe-inline' {0}; img-src data: *; font-src data: {0}; connect-src wss: blob: data: {0}; media-src *; worker-src blob: mediastream: {0}; form-action {0}; base-uri {0}; frame-ancestors {0};", allowedDomain, httpContext.Items[Constants.NONCE_KEY]));
|
||||
httpContext.Response.Headers.Append("Content-Security-Policy", string.Format(
|
||||
"default-src 'none'; " +
|
||||
"script-src blob: 'unsafe-eval' 'nonce-{1}' {0}; " +
|
||||
"style-src 'unsafe-inline' {0}; " +
|
||||
"img-src data: *; " +
|
||||
"font-src data: {0}; " +
|
||||
"connect-src wss: blob: data: {0}; " +
|
||||
"media-src *; " +
|
||||
"worker-src blob: mediastream: {0}; " +
|
||||
"form-action {0}; " +
|
||||
"base-uri {0}; " +
|
||||
"frame-ancestors {0};",
|
||||
allowedDomain,
|
||||
httpContext.Items[Constants.NONCE_KEY]));
|
||||
}
|
||||
|
||||
return _next(httpContext);
|
||||
|
@ -314,6 +314,5 @@ namespace Teknik
|
||||
context.Response.StatusCode = 403;
|
||||
context.HandleResponse();
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user