More in this section
Forums / Developing with Sitefinity / Sitefinity v10 ContentSecurityPolicyOptions as a Content-Security-Policy header?

Sitefinity v10 ContentSecurityPolicyOptions as a Content-Security-Policy header?

The forums are in read-only mode. In case that you want to directly contact the Progress Sitefinity team use the support center. In our Google Plus group you can find more than one thousand Sitefinity developers discussing different topics. For the Stack Overflow threads don’t forget to use the “Sitefinity” tag.
1 posts, 0 answered
  1. Eric
    Eric avatar
    5 posts
    14 May 2015
    01 Jun 2017
    Link to this post

    What's the secret to getting Sitefinity to return a Content-Security-Policy header containing the values configured in Settings > Advanced > Authentication > SecurityTokenService > IdentityServer > ContentSecurityPolicyOptions? 

    I can see in the code that it's being used to set the CspOptions of the IdentityServer3, and that those are subsequently used by the ActionFilter SecurityHeadersAttribute (with an EnableCsp property, defaulting to true), and that that attribute has been given to a handful of IdentityServer3.Core.EndPoints controllers.  However, the SecurityHeadersAttribute is internal and so can't be registered globally in custom site-wide initialization logic. 

    So, how does one take advantage of it, short of writing an ActionFilter that repeats what SecurityHeadersAttribute does, which amounts to calling GetOwinContext on HttpActionExecutedContext and then retrieving the IdentityServerOptions and building a Content-Security-Policy header of our own?

    Thanks in advance.


1 posts, 0 answered