OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

IIS Refused to apply inline style because it violates Content Security Policy but the domain is in style-src

  • Thread starter Thread starter Velocedge
  • Start date Start date
V

Velocedge

Guest
In Windows Server 2019 IIS I added "Content-Security-Policy" to the HTTP Response Headers because I'm getting security issues. I used the values:

Code:
style-src https://www.mydomainname.net 
or
style-src 'self'

With either entry, out styles are all messed up on the pages. All our style sheets are written similar to:

Code:
<link rel="stylesheet" type="text/css" href="/Themes/3354/theme.css">

Which links to the root of the server name listed in the Content-Security-Policy. I thought the entry meant "any stylesheet from the identified domain" would be acceptable but obviously it's not. So, I'm not sure what's going on. Entering the fully qualified url for the domain doesn't seem to matter. I read about unsafe-inline but that seems to go against the reason for adding a security policy.

My question boils down to: What does the style-src really mean (if not all css is good from this domain) and how to I get it to accept a Content-Security-Policy without messing up the site's web pages?
<p>In Windows Server 2019 IIS I added "Content-Security-Policy" to the HTTP Response Headers because I'm getting security issues. I used the values:</p>
<pre><code>style-src https://www.mydomainname.net
or
style-src 'self'
</code></pre>
<p>With either entry, out styles are all messed up on the pages. All our style sheets are written similar to:</p>
<pre><code><link rel="stylesheet" type="text/css" href="/Themes/3354/theme.css">
</code></pre>
<p>Which links to the root of the server name listed in the Content-Security-Policy. I thought the entry meant "any stylesheet from the identified domain" would be acceptable but obviously it's not. So, I'm not sure what's going on. Entering the fully qualified url for the domain doesn't seem to matter. I read about unsafe-inline but that seems to go against the reason for adding a security policy.</p>
<p>My question boils down to: What does the style-src really mean (if not all css is good from this domain) and how to I get it to accept a Content-Security-Policy without messing up the site's web pages?</p>
Continue reading...
 
Top