More in this section

Forums / Developing with Sitefinity / Sitefinity v10 ContentSecurityPolicyOptions as a Content-Security-Policy header?

Sitefinity v10 ContentSecurityPolicyOptions as a Content-Security-Policy header?

1 posts, 0 answered
  1. Eric
    Eric avatar
    5 posts
    Registered:
    14 May 2015
    01 Jun
    Link to this post

    What's the secret to getting Sitefinity to return a Content-Security-Policy header containing the values configured in Settings > Advanced > Authentication > SecurityTokenService > IdentityServer > ContentSecurityPolicyOptions? 

    I can see in the code that it's being used to set the CspOptions of the IdentityServer3, and that those are subsequently used by the ActionFilter SecurityHeadersAttribute (with an EnableCsp property, defaulting to true), and that that attribute has been given to a handful of IdentityServer3.Core.EndPoints controllers.  However, the SecurityHeadersAttribute is internal and so can't be registered globally in custom site-wide initialization logic. 

    So, how does one take advantage of it, short of writing an ActionFilter that repeats what SecurityHeadersAttribute does, which amounts to calling GetOwinContext on HttpActionExecutedContext and then retrieving the IdentityServerOptions and building a Content-Security-Policy header of our own?

    Thanks in advance.

    ewb

1 posts, 0 answered