app.UseCsp(csp => {
// Various rules here
csp.ReportViolationsTo("/csp/report");
}
I have a CSP controller in an area named CSP:
Areas/Csp/HomeControlller.cs
When a violation occurs, it's sent to https://servername.com/csp/report however running in IIS it needs to be https://servername.com/somepath/csp/report
My current workaround is to move the csp.ReportViolationsTo inside OnSendingHeader:
app.UseCsp(csp => {
// Various rules here
csp.OnSendingHeader = context => {
var path = new PathString($"{context.HttpContext.Request.PathBase}/csp/report");
csp.ReportViolationsTo(path);
context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/swagger");
return Task.CompletedTask;
};
}
However, that will reset the ReportViolations every time and is not ideal.
This is something that other areas of ASPNET Core already handles. For example, setting app.UseStatusCodePagesWithReExecute("/Error/{0}"); would properly redirect 404 error pages to https://servername.com/somepath/error/404
When using IIS in a virtual application, the application path isn't added to the report URL.
I have the following route defined:
I have a CSP controller in an area named CSP:
When a violation occurs, it's sent to
https://servername.com/csp/report
however running in IIS it needs to behttps://servername.com/somepath/csp/report
My current workaround is to move the
csp.ReportViolationsTo
insideOnSendingHeader
:However, that will reset the ReportViolations every time and is not ideal.
This is something that other areas of ASPNET Core already handles. For example, setting
app.UseStatusCodePagesWithReExecute("/Error/{0}");
would properly redirect 404 error pages tohttps://servername.com/somepath/error/404