Unanswered

Power Pages : Setting Content Security Policy Headers

(1) Share

Report

Posted on by vkartikiyer

Hi Team,

We have Power Pages website and as per security scan we need to set the CSP policy , I have added few directives for CSP but security scan still shows following directives are missing

default-src
code-injection-objective
form-action-objective
reporting-objective

Let me know if you have any inputs regarding the same.

Regards

Categories:

Security

I have the same question (0)

All responses (2)

Answers (0)

Michael E. Gernaey 53,325 Super User 2025 Season 2 on at

Like (1)

Report

Hi,

I'd have to see exactly what you set. It should have covered these. I am going to assume you synced etc?

Was this reply helpful? Yes No
vkartikiyer 20 on at

Like (0)

Report

Hi FLMike ,

Thanks for response.

I am able to set default-src and other directives , only issue right now script-src tag.

Following is the setting for CSP

default-src https: 'unsafe-inline';font-src https: 'unsafe-inline';img-src https: 'unsafe-inline';style-src https: 'unsafe-inline';form-action https: 'unsafe-inline';script-src https: 'nonce' 'unsafe-inline';

script-src tag is not allowing eval function to work without 'unsafe-eval' tag which is highlighted as security issue
Also , we have inline action which is failing because of script-src settings

Following is the snapshot

Without 'unsafe-eval' tag

Inline event Handler issue with script-src tag

Also in Advance setting I don't see any tag for following directives which is reported as security issue
code-injection-objective
reporting-objective

Was this reply helpful? Yes No