Back to Community Threads
1
CSP Header Forced programmatically ?
Problem reported by Tim Winkelmann - 6/18/2019 at 4:59 AM
Submitted
Hi,

We are hosting an app in a virtual directory under the SmarterTrack Site.
On this app, we wish to include some third party scripts.

However, we came across a Content Security Policy Error. The third party script is being blocked.
The CSP Header is not set by our IIS Server, not by the Web.config of the Virtual Directory, and not by the SmarterTrack Web.config.

Looking at the CSP, it includes the domain names of our SmarterTrack brands, as well as other addresses.
Here is an anonymized version for reference: (example, example2 and example3 are the addresses of our 3 SmarterTrack brands).


connect-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com ws://support.example.com:* wss://support.example.com:* https://*.google-analytics.com https://*.googleapis.com; frame-ancestors 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com; frame-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.google.com/recaptcha/ https://*.fleeq.io https://*.metacafe.com; script-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com 'unsafe-inline' 'unsafe-eval' blob: https://translate.google.com https://*.google-analytics.com https://*.googleapis.com https://*.google.com/recaptcha/ https://*.gstatic.com/recaptcha/; style-src 'self' https://support.example.com https://*.support.example.com https://*.support.example2.com https://*.support.example3.com 'unsafe-inline' https://fonts.googleapis.com; report-uri https://support.example.com/CspReports.ashx
We concluded that this CSP must be generated by SmarterTrack, probably somewhere in code, inaccessible.

We need to be able to edit this CSP (at the very least add domains to it).
How do we go about this ?


Thanks in advance
Tim Winkelmann
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Require Privacy Policy Consent for Ticket and Chat SubmissionsSmarterTrack > Brand Configuration and Management
SSL Issues for Hosted SmarterTrack DomainsSmarterTrack > Troubleshooting
Set up SmarterTrack as an IIS Site in IIS 8SmarterTrack > Server Configuration and Management
Set up SmarterTrack as an IIS Site (IIS 7.0/7.5)SmarterTrack > Server Configuration and Management
Force Webmail Traffic Over HTTPSSmarterMail > Server Configuration and Management