0
$\begingroup$

I am facing a issue when Identity server redirect from https:/sso.com/connect/authorize?.. to https://anotherhost.com/sigin-oidc it is showing CSP error as stated that

refused to send form data to form-action 'https://anotherhost.com/sigin-oidc' because it violets the following content security policy directive : form-action https://anotherhost.com

Currently till now i have found that Google & Safari browser is not allow form action even in Get Request if it not properly defined CSP mean i have to added https://anotherhost.com/sigin-oidc in CSP but my main issue is that how would i add in Asp.net core because when i am trying to added like below

 app.Use(async (context, next) =>
 {
     if (context.Request.Path.StartsWithSegments("/connect/authorize"))
     {
         context.Response.Headers.["Content-Security-Policy"] += "form-action 'self' https://anotherhost.com/sigin-oidc";
     }
     await next();
 });

this code only adding form-action rest of policy are missing. so I have two question , first is how connect/authorize internally add this content security policy & second how can i manage in asp.net core .

Improve this question
$\endgroup$
4
  • $\begingroup$ I'm not very sure about your question... Based on my understanding, you might be able to use <meta> tags in your page to set allowed origin $\endgroup$ Commented Jan 3, 2025 at 2:26
  • $\begingroup$ In my humble opinion, CSP policy will ask browser to stop some actions, such as we used 3rd library in the page, and this library requires to load extra resources for examplge css file, if we didn't set the link to css file in CSP policy, it will be prevented being loading. Maybe this example about meta tag can help you. $\endgroup$ Commented Jan 3, 2025 at 2:32
  • $\begingroup$ @TinyWang I understanding your point of view but main issue is that mostly these call are internally Middle ware calls of Identity server , which developer don't have any controller $\endgroup$ Commented Jan 3, 2025 at 5:19
  • $\begingroup$ I used an CSP policy before to fix CSP violation error, you can see that my code format for multiple value is like "script-src 'self' 'unsafe-inline';". Maybe you can try. app.Use(async (context, next) => { context.Response.Headers.Add("Content-Security-Policy", "form-action 'self';" + "script-src 'self' 'unsafe-inline';" + "style-src 'self' 'unsafe-inline';" + "upgrade-insecure-requests; "); await next(); }); $\endgroup$ Commented Jan 3, 2025 at 6:14
Related questions
346
How to enable CORS in ASP.net Core WebAPI
4
Angular 5 & ASP.Net Core with (CSP) Content Security Policy
4
how to redirect from /signin-oidc back to my controller/action?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.