CSP Header Forced programmatically ?
Problem reported by Tim Winkelmann - June 18 at 4:59 AM
Submitted
Hi,

We are hosting an app in a virtual directory under the SmarterTrack Site.
On this app, we wish to include some third party scripts.

However, we came across a Content Security Policy Error. The third party script is being blocked.
The CSP Header is not set by our IIS Server, not by the Web.config of the Virtual Directory, and not by the SmarterTrack Web.config.

Looking at the CSP, it includes the domain names of our SmarterTrack brands, as well as other addresses.
Here is an anonymized version for reference: (example, example2 and example3 are the addresses of our 3 SmarterTrack brands).


connect-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com ws://support.example.com:* wss://support.example.com:* https://*.google-analytics.com https://*.googleapis.com; frame-ancestors 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com; frame-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.google.com/recaptcha/ https://*.fleeq.io https://*.metacafe.com; script-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com 'unsafe-inline' 'unsafe-eval' blob: https://translate.google.com https://*.google-analytics.com https://*.googleapis.com https://*.google.com/recaptcha/ https://*.gstatic.com/recaptcha/; style-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com 'unsafe-inline' https://fonts.googleapis.com; report-uri https://support.example.com/CspReports.ashx
We concluded that this CSP must be generated by SmarterTrack, probably somewhere in code, inaccessible.

We need to be able to edit this CSP (at the very least add domains to it).
How do we go about this ?


Thanks in advance
Tim Winkelmann

Reply to Thread