
Announcements
Currently I am working on SharePoint 2019 Penetration Test issue fixing. I am not able to find the fix details for two Content-Security-Policy properties (frame-ancestors 'none' and object-src 'self') in SharePoint 2019 on premises.
a. Content-Security-Policy: default-src 'self';
I have received below error message after applying "default-src 'self'". in SharePoint 2019 web config.
<add name="Content-Security-Policy" value="default-src 'self';"/>
Error Message:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
b. Content-Security-Policy: frame-ancestors 'none'.
SharePoint Out Of Box popups are not working after applying "frame-ancestors 'none'". in SharePoint 2019 web config and getting the below error message.
<add name="Content-Security-Policy" value="frame-ancestors 'none';"/>
Error Message: Refused to frame 'http://sharepoint.testing.com/ because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
I am not able find the issue fix details in google. kindly someone help to provide at least Risk Acceptance MS Links to close this issue or provide if have a solution.