search

umbraco / Umbraco-CMS

Umbraco is a free and open source .NET content management system helping you deliver delightful digital experiences.
https://umbraco.com
Other
4.49k stars 2.69k forks source link

Content security policy #11420

Closed dalemccutcheon closed 3 years ago

dalemccutcheon commented 3 years ago

Which exact Umbraco version are you using? For example: 8.13.1 - don't just write v8

9.0.0

Bug summary

We are having a problem with NWebsec and Umbraco - we are trying to secure our site as much as possible therefore have unsafeEval and unsafeInline turned off - this then breaks umbraco.

In v8 we could add a second web.config into the Umbraco folder and then enable unsafeeval and unsafeinline specifically within that web config to allow the back office to load.

Now within v9 we can no longer do that - does anyone know a way around having to enable unsafeEval and unsafeInline in order to get Umbraco to load.

Specifics

No response

Steps to reproduce

Install NWebsec for dotnet core https://www.w3.org/TR/upgrade-insecure-requests/#examples

Once installed configure the CSP as secure as possible, this will then break umbraco although the front end of the site will load.

If unsafeEval and unsafeInline is then turned on the back office will load.

Expected result / actual result

Is there a way we are able to enable a CSP without unsafe eval and unsafe inline turned on for Umbraco to load?

nul800sebastiaan commented 3 years ago

Hi there - this sounds like an excellent question for the forums where our friendly community can help you find the best solution for your requirements.

Make sure to head on over to https://our.umbraco.com and ask follow up questions there! 👍

gdiazderadaa commented 3 years ago

I might be wrong but that looks like a bug that needs to be dealt with here as opposed to a question posted in the forums. Otherwise what's the purpose of this channel?