OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

How enable Content-Security-Policy in IIS

  • Thread starter Thread starter Velocedge
  • Start date Start date
V

Velocedge

Guest
I'm trying to add a Content-Security-Policy to IIS on a Windows 2019 server. I had posted something similar but found I was going down the wrong path. In IIS, I'm going to HTTP Response Headers, clicking [Add], and putting "Content-Security-Policy" in the Name and "default-src 'self';" in the Value. But when this is saved in IIS, none of the inline scripts or styles work and the pages are a mess.

I found examples and explanations on https://content-security-policy.com that provides the description and proper syntax to allow not only inline css but scripts, images, etc. from the server:

Code:
"The default-src directive defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media."
EXAMPLE DEFAULT-SRC POLICY
default-src 'self' cdn.example.com;

"default-src 'self' Allows loading resources from the same origin (same scheme, host and port)."

So, in IIS I modified the Content-Security-Policy to:

Code:
default-src 'self' www.mydomainname.net;

But my web pages are still ignoring styles and scripts! What am I doing wrong in IIS or maybe I just don't understand yet how it's supposed to work? It appears by adding this Content-Security-Policy value, it should allow the scripts and styles from the same server. So, why doesn't it?
<p>I'm trying to add a Content-Security-Policy to IIS on a Windows 2019 server. I had posted something similar but found I was going down the wrong path. In IIS, I'm going to HTTP Response Headers, clicking [Add], and putting "Content-Security-Policy" in the Name and "default-src 'self';" in the Value. But when this is saved in IIS, none of the inline scripts or styles work and the pages are a mess.</p>
<p>I found examples and explanations on <a href="https://content-security-policy.com" rel="nofollow noreferrer">https://content-security-policy.com</a> that provides the description and proper syntax to allow not only inline css but scripts, images, etc. from the server:</p>
<pre><code>"The default-src directive defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media."
EXAMPLE DEFAULT-SRC POLICY
default-src 'self' cdn.example.com;

"default-src 'self' Allows loading resources from the same origin (same scheme, host and port)."
</code></pre>
<p>So, in IIS I modified the Content-Security-Policy to:</p>
<pre><code>default-src 'self' www.mydomainname.net;
</code></pre>
<p>But my web pages are still ignoring styles and scripts! What am I doing wrong in IIS or maybe I just don't understand yet how it's supposed to work? It appears by adding this Content-Security-Policy value, it should allow the scripts and styles from the same server. So, why doesn't it?</p>
Continue reading...
 

Latest posts

B
Replies
0
Views
1
Blundering Ecologist
B
Top