Content Security Vulnerability in ASP.NET(WebForms)

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Issue : While implementing CSP(content security policy) in ASP.NET WEB Forms, few of the scripts are not working on the UI or application does not behave normally.


Cause: unsafe-inline and unsafe-eval were not included in CSP Settings for ASP.NET Webforms.



There’s no way for a webforms app to run with a CSP without allowing unsafe-inline on scripts, styles and, probably unsafe-eval on either or both, depending on 3rd party controls, and arguable once you start allowing unsafe-inline on scripts, well, content security policy is frankly neutered at that point.


As webforms is considered complete, with no new features being added this isn’t going to change. To gain a modicum of control over the html output you really need to move to MVC


Workaround :

 <add name="Content-Security-Policy" value="default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" />

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.