This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
Issue : While implementing CSP(content security policy) in ASP.NET WEB Forms, few of the scripts are not working on the UI or application does not behave normally.
Cause: unsafe-inline and unsafe-eval were not included in CSP Settings for ASP.NET Webforms.
Solution:
There’s no way for a webforms app to run with a CSP without allowing unsafe-inline on scripts, styles and, probably unsafe-eval on either or both, depending on 3rd party controls, and arguable once you start allowing unsafe-inline on scripts, well, content security policy is frankly neutered at that point.
As webforms is considered complete, with no new features being added this isn’t going to change. To gain a modicum of control over the html output you really need to move to MVC
Workaround :
<add name="Content-Security-Policy" value="default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" />