Sitefinity v10 ContentSecurityPolicyOptions as a Content-Sec

Posted by Community Admin on 04-Aug-2018 09:00

Sitefinity v10 ContentSecurityPolicyOptions as a Content-Security-Policy header?

All Replies

Posted by Community Admin on 01-Jun-2017 00:00

What's the secret to getting Sitefinity to return a Content-Security-Policy header containing the values configured in Settings > Advanced > Authentication > SecurityTokenService > IdentityServer > ContentSecurityPolicyOptions? 

I can see in the code that it's being used to set the CspOptions of the IdentityServer3, and that those are subsequently used by the ActionFilter SecurityHeadersAttribute (with an EnableCsp property, defaulting to true), and that that attribute has been given to a handful of IdentityServer3.Core.EndPoints controllers.  However, the SecurityHeadersAttribute is internal and so can't be registered globally in custom site-wide initialization logic. 

So, how does one take advantage of it, short of writing an ActionFilter that repeats what SecurityHeadersAttribute does, which amounts to calling GetOwinContext on HttpActionExecutedContext and then retrieving the IdentityServerOptions and building a Content-Security-Policy header of our own?

Thanks in advance.

ewb

This thread is closed