Saturday, August 29, 2020

Sitecore Content Security Policy Issue

Sitecore 9+ has added the Content Security Policy custom header in the web.config and this will block any API calls to other domains. 



Open web.config and look for customHeaders

<configuration>

<location path="sitecore">

    <system.webServer>

         <httpProtocol>

                <customHeaders>

                         <httpProtocol>

                                <customHeaders>

                                        <remove name="X-Content-Type-Options"/>

          <remove name="X-XSS-Protection"/>

<remove name="Content-Security-Policy"/>

<add name="X-XSS-Protection" value="1; mode=block"/>

<add name="X-Content-Type-Options" value="nosniff "/>

<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://apps.sitecore.net; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' 'unsafe-inline' https://fonts.gstatic.com; upgrade-insecure-requests; block-all-mixed-content;"/>

        </customHeaders>

      </httpProtocol>

   </system.webServer>

</location>

</configuration>


Now lets add other domain https://mydomain.com  in CSP.

<configuration>

<location path="sitecore">

    <system.webServer>

         <httpProtocol>

                <customHeaders>

                         <httpProtocol>

                                <customHeaders>

                                        <remove name="X-Content-Type-Options"/>

           <remove name="X-XSS-Protection"/>

<remove name="Content-Security-Policy"/>

<add name="X-XSS-Protection" value="1; mode=block"/>

<add name="X-Content-Type-Options" value="nosniff "/>

<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://apps.sitecore.net https://mydomain.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' 'unsafe-inline' https://fonts.gstatic.com; upgrade-insecure-requests; block-all-mixed-content;"/>

        </customHeaders>

      </httpProtocol>

   </system.webServer>

</location>

</configuration>


No comments:

Post a Comment