Allow adding to the CSP list

[brockallen]

To allow for custom views to embed external CSS/JS

[ghost]

+1 It would also be helpful to have an option to completely disable the CSP (e.g. to control SecurityHeadersAttribute.EnableCsp property from the identity server options).

Sometimes it is much easier to disable this when integrating with an existing infrastructure which uses inline scripts and various external JS.

[brockallen]

Added a CspOptions property on the idvsr configuration. You can enable/disable it, enable/disable the report endpoint and also add additional script-src and/or style-src values.

[brockallen]

Also updated the wiki with docs.

[brockallen]

FontSrc also added

[sherland]

Is there a similar way to disable Xfo? At https://github.com/IdentityServer/Thinktecture.IdentityServer3/blob/master/source/Core/Configuration/Hosting/SecurityHeadersAttribute.cs I see that EnableCsp reads the IdentityServerOptions, but it does not seem possible to change EnableXfo in a similar way.

[leastprivilege]

Why would you want to do that?

[sherland]

We have a SPA which shows the login-window in an iframe. When using auth0 as idp it's working, but when using IdentityServer we get a message similar to: [Refused to display 'url-to-idp' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN']

[leastprivilege]

Right - because we think that there is a security concern embedding the login screen into an untrusted page.

[sherland]

I definitely understand that you want to keep the default as safe as possible, but shouldn’t this be up to the user (operations)?

[Naigel56]

Now it seems to work with the latest version (2.2.3 by now), so no need to download the whole IdentityServer 3 code and recompile it with this single change in SecurityHeadersAttribute.cs file

EnableXfo = false;

... as I have done previously with 2.1.1 version. Glad you removed the X-Frame-Options block!

[brockallen]

@firez5566 what do you mean by "Glad you removed the X-Frame-Options block"?