pamapa
commented
7 months ago The CSP for your application should allow script execution and connecting to your IDP.
Like:
"script-src 'self',
"connect-src 'self' <url(s) of your IDP>",
"frame-src 'self' <url(s) of your IDP>"The browser gives you hints about issues with CSP in its console...
Hi,
Is there a recommended setup for content security management when using oidc-client-ts? Since converting my app from oidc-client to oidc-client-ts, I've had issues with my token becoming invalid. I suspect an issue with csp. Please let me know what the recommended configuration should be. Below is my CSP where I temporarily commented out ones I thought may be an issue: app.Use(async (context, next) => { context.Response.Headers.Remove("X-Powered-By"); context.Response.Headers.Remove("X-XSS-Protection"); context.Response.Headers.Add("X-Xss-Protection", "1"); context.Response.Headers.Remove("X-Frame-Options"); context.Response.Headers.Add("X-Frame-Options", "DENY"); context.Response.Headers.Remove("Referrer-Policy"); context.Response.Headers.Add("Referrer-Policy", "no-referrer"); context.Response.Headers.Remove("X-Content-Type-Options"); context.Response.Headers.Add("X-Content-Type-Options", "nosniff"); context.Response.Headers.Remove("Content-Security-Policy"); context.Response.Headers.Add( "Content-Security-Policy", "default-src 'none'; " + //"trusted-types angular angular#unsafe-bypass; " + //"require-trusted-types-for 'script'; " + "img-src 'self' data:; " + "font-src 'self' data: https://fonts.gstatic.com; " + "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com; " + $"script-src 'self' 'unsafe-inline' 'unsafe-eval'; " + //$"frame-ancestors 'self'; " + $"form-action 'self'; " //+ //$"frame-src 'self'; " + //$"connect-src 'self' ws: {configuration.GetValue("AppConfig:TokenIssuerSource")}; "
);