-
-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ELMAH errors in default project #17
Comments
Errors can be fixed by adding
(replace localhost with a domain where applicable) ... typical, fixing shortly after asking for help. However, I'm glad I did, because otherwise everyone else will have this problem, too. In the script-src filter, adding this is also recommended:
It will prevent CSP violations for Glimpse. |
Thanks for raising this. These CSP violation errors are cause by Visual Studio's browser link feature which runs at http://localhost:[Random Port]. Browser link works by injecting in-line script into your page. There is a comment about it in FilterConfig.cs. In my comment, I suggest either turning off CSP in code (Comment out AddContentSecurityPolicyFilters(filters)), or turning off browser link (Uncheck 'Enable browser link' in Visual Studio). Ideally Microsoft should support CSP, I have raised this on UserVoice. The above approach works but ideally you should only add localhost:* to the white-list in debug mode (You can use the pre-processor directives you do below). I think your first set of code could be added to the project. I would be interested to learn of any other reasons for CSP violations occurring, in particular where are you getting "It will prevent CSP violations for Glimpse". One I have noticed that you can ignore is a CSP violation for visiting the Elmah page while having Glimpse turned on. |
After a bit of testing I've found that adding to the script-src and img-src directives is enough to allow browser link:
I'd be interested to know why you needed the extra directives. Thanks! |
This is a difficult one. For MVC 6 I have asked that CSP be taken into consideration for Browser Link. If it could return the URL it is using, then that would solve all problems as we could add it to the white-list. No NWebSec for MVC 6 yet though anyway. For MVC 5, I I have made the above fix for the next version. |
ELMAH reports CSP errors in the default project.
Is there any easy fix for these? I have tried to fix them.
The errors come from referencing ports (on localhost) other than the IIS instance that the project is being run from. I think the relevant errors are in connect-src and img-src.
The text was updated successfully, but these errors were encountered: