search

andrewmarkham / contentsecuritypolicy

Episerver addon to help manage the sites content security policy.
Apache License 2.0
9 stars 4 forks source link

An item with the same key has already been added. Key: Content-Security-Policy #65

Closed LucGosso closed 1 year ago

LucGosso commented 1 year ago

Hi!! Nice plugin, well done!

every now and then, havnt found any regularity, but i get this error. Sometime at startup on server. 


2023-01-21T10:45:43.296944600Z       Failed to determine the https port for redirect.

2023-01-21T10:45:44.649420047Z warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]

2023-01-21T10:45:44.649526247Z       Failed to determine the https port for redirect.

2023-01-21T10:45:44.936669894Z fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]

2023-01-21T10:45:44.936753194Z       An unhandled exception has occurred while executing the request.

2023-01-21T10:45:44.936759594Z       System.ArgumentException: An item with the same key has already been added. Key: Content-Security-Policy

2023-01-21T10:45:44.943094793Z          at System.Collections.Generic.Dictionary`2.TryInsert(TKey key, TValue value, InsertionBehavior behavior)

2023-01-21T10:45:44.943128892Z          at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)

2023-01-21T10:45:44.943145092Z          at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponseHeaders.AddValueUnknown(String key, StringValues value)

2023-01-21T10:45:44.943150992Z          at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponseHeaders.AddValueFast(String key, StringValues value)

2023-01-21T10:45:44.953722491Z          at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpHeaders.System.Collections.Generic.IDictionary<System.String,Microsoft.Extensions.Primitives.StringValues>.Add(String key, StringValues value)

2023-01-21T10:45:44.954517890Z          at Jhoose.Security.Services.JhooseSecurityService.AddContentSecurityPolicy(HttpResponse response)

2023-01-21T10:45:44.954534790Z          at Jhoose.Security.Middleware.ContentSecurityPolicyMiddleware.InvokeAsync(HttpContext context, IJhooseSecurityService securityService)`

I dont seem to reproduce this in development.

What about having a check if header already added? or try n catch and log error?

Suggestion: if (context.Request.Headers.ContainsKey("Content-Security-Policy")) => add CSP

I do have this in startup ... 

app.Use(async (context, next) =>
            {
                //if (context.Response.Headers.All(x => x.Key != "Permissions-Policy"))
                    context.Response.Headers.Add("Permissions-Policy", new[] { "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" });

                    await next();
}
<ItemGroup>
        <PackageReference Include="Advanced.CMS.GroupingHeader" Version="2.0.0" />
        <PackageReference Include="Epicweb.Optimizely.RedirectManager" Version="6.0.0" />
        <PackageReference Include="AspNetCore.SassCompiler" Version="1.55.0" />
        <PackageReference Include="Baaijte.Optimizely.ImageSharp.Web" Version="2.1.1" />
        <PackageReference Include="Epicweb.Optimizely.QuickNavExtension" Version="6.0.0.0" />
        <PackageReference Include="EPiServer.CMS" Version="12.13.1" />
        <PackageReference Include="EPiServer.CMS.AspNetCore" Version="12.9.3" />
        <PackageReference Include="EPiServer.CMS.AspNetCore.HtmlHelpers" Version="12.9.3" />
        <PackageReference Include="EPiServer.CMS.TinyMce" Version="3.3.1" />
        <PackageReference Include="EPiServer.CMS.UI" Version="12.13.1" />
        <PackageReference Include="EPiServer.CMS.UI.AspNetIdentity" Version="12.13.1" />
        <PackageReference Include="EPiServer.CMS.UI.Core" Version="12.13.1" />
        <PackageReference Include="EPiServer.CMS.UI.Settings" Version="12.13.1" />
        <PackageReference Include="EPiServer.Framework" Version="12.9.3" />
        <PackageReference Include="EPiServer.Framework.AspNetCore" Version="12.9.3" />
        <PackageReference Include="EPiServer.Hosting" Version="12.9.3" />
        <PackageReference Include="Geta.Optimizely.ContentTypeIcons" Version="2.0.2" />
        <PackageReference Include="HtmlAgilityPack" Version="1.11.46" />
        <PackageReference Include="Jhoose.Security.Admin" Version="1.4.0.176" />
        <PackageReference Include="LigerShark.WebOptimizer.Core" Version="3.0.372" />
        <PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="6.0.10" />
        <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="6.0.10" />
        <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="6.0.10">
            <PrivateAssets>all</PrivateAssets>
            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
        </PackageReference>
        <PackageReference Include="PictureRenderer.Optimizely" Version="2.4.0" />
        <PackageReference Include="Schema.NET" Version="11.0.1" />
        <PackageReference Include="Serilog" Version="2.12.0" />
        <PackageReference Include="Serilog.Extensions.Hosting" Version="5.0.1" />
        <PackageReference Include="Serilog.Sinks.File" Version="5.0.1-dev-00947" />
        <PackageReference Include="SixLabors.ImageSharp.Web" Version="2.0.2" />
    </ItemGroup>
andrewmarkham commented 1 year ago

Hi @LucGosso

Thanks for the feed back :)

I will take a look at this issue, please attach any additional logs if you get any.

Andy

andrewmarkham commented 1 year ago

Hi @LucGosso,

The module now handles duplicate headers. In this scenario, the duplicate is logged. If there is an exception this will be logged, but the site will remain up.

Andy