ContentSecurityPolicy being set. How do you change it?

[Gillardo]

I want to add links to fonts on my web application, but since implementing OpenIddict, i have just just given CSP errors.

After hacking away at my project and then the source of OpenIddict, i see that a CSP Policy is added by default in the OpenIddictExtensions file, like so

// Insert a new middleware responsible of setting the Content-Security-Policy header.
// See https://nwebsec.codeplex.com/wikipage?title=Configuring%20Content%20Security%20Policy&referringTitle=NWebsec
    app.UseCsp(options => options.DefaultSources(directive => directive.Self())
        .ImageSources(directive => directive.Self().CustomSources("*"))
        .ScriptSources(directive => directive.Self().UnsafeInline())
        .StyleSources(directive => directive.Self().UnsafeInline()));

This is all very well, but how can i override these settings? Why are these settings added by default? Surely they should be optional?

[kevinchalet]

@damccull is working on a PR to make it configurable: https://github.com/openiddict/core/pull/38

[Gillardo]

Excellent!! Glad to hear that, i have tried setting the CSP on the Html page for about an hour, until i realised that this happened once i implemented OpenIddict.

Will watch this space for change

[damccull]

Alright, this feature is ready and awaiting merge. @PinpointTownes should do it soon.

[kevinchalet]

PR merged: https://github.com/openiddict/core/commit/dad1b307b88e20dd9dd3a01c485ddcfbfeff189c :smile:

The updated package should be on MyGet.org soon.

[kevinchalet]

@Gillardo don't hesitate to share your thoughts when you have a moment :clap:

[Gillardo]

@damccull very nice work with the Csp option. I have downloaded the latest version via myGet now and it works perfectly with my application! Thank you.

@PinpointTownes thanks for merging so quickly.