Episerver Cms and Content Security Policy Header


This is not as much of a bug, but rather a question of why.
When adding a CSP to my Episerver Site, i can configure everything to work safly and securly on the front end.
But the second one tries to load /episerver/cms everything breaks cause the csp blocks dojo.js attempts to run a eval() function aswell as the inline scripts that is put into edit mode.

My question is this:
Are there any plans to fix this as far as we are aware of? Cause running episerver with a csp that has to include both 'unsafe-inline' and 'unsafe-eval' feels rather bad.

Best Regards

Dec 13, 2018 13:54

i have disabled CSP on everything under /episerver and /Modules :(

but i still have the problem of the quicknavigator that contains the following javascript: href="javascript:void(0)" :(

i am not sure what to do about that

Jan 20, 2019 8:48

If you set up the CSP headers in a globally assigned ActionFilterAttribute, you can interrogate the ActionExecutingContext to determine if the request is a controller for a PageData object and whether it is a child request or not.

In the example below: all PageControllers have a currentContent parameter for the PageData Object. Block Controllers will always render with filterContext.IsChildAction being true.  I check both values to ensure the CSP headers are only applied on content pages.

    public class ContentSecurityPolicyActionFilterAttribute : ActionFilterAttribute, IActionFilter
        public override void OnActionExecuting(ActionExecutingContext filterContext)

            if (filterContext.ActionParameters.Keys.Contains("currentContent") && !filterContext.IsChildAction)
                var globalSettings = ServiceLocator.Current.GetInstance<GlobalSettings>();

                if (!string.IsNullOrWhiteSpace(globalSettings?.ContentSecurityPolicy))
                    var csp = globalSettings.ContentSecurityPolicy;
                    filterContext.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
May 13, 2020 15:28
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.