CSP - script-src-elem violated in self-hosted setup

[erwinkramer]

Bug description

CSP will violate on self-hosted, because it cannot run a script that calls back to the portal page.

In a self-hosted setup, you have:

• a BACKEND, e.g. development.myorg.com - pointing towards the api management resource
• a FRONTEND, e.g. portal.myorg.com - pointing to your storage account where the portal files are hosted

{
    "csp-report": {
        "document-uri": "https://BACKEND/signin-oauth/implicit/callback",
        "referrer": "https://login.microsoftonline.com/",
        "violated-directive": "script-src-elem",
        "effective-directive": "script-src-elem",
        "original-policy": "default-src 'self' *.WHOLE_ORG; report-uri SOMESITE",
        "disposition": "report",
        "blocked-uri": "inline",
        "line-number": 7,
        "source-file": "https://BACKEND/signin-oauth/implicit/callback",
        "status-code": 200,
        "script-sample": ""
    }
}

A console message looks something like this:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' *.WHOLE_ORG". Either the 'unsafe-inline' keyword, a hash ('sha256-SOMEHASH'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Reproduction steps

0. Configure CSP in the API Management resource to enabled or report only
1. Go to an API in the api portal that has implicit auth configured
2. Call the implicit auth
3. See it authenticating, but not calling back to the portal

Expected behavior

Should allow calls

Is your portal managed or self-hosted?

Self-hosted

Release tag or commit SHA (if using self-hosted version)

Latest