ELMAH errors in default project

[xorxornop]

ELMAH reports CSP errors in the default project.
Is there any easy fix for these? I have tried to fix them.

The errors come from referencing ports (on localhost) other than the IIS instance that the project is being run from. I think the relevant errors are in connect-src and img-src.

[xorxornop]

Errors can be fixed by adding

CustomSources = String.Join(" ", "localhost:*", "ws://localhost:*") to connect-src
CustomSources = String.Join(" ", "localhost:*", "data:") to img-src
CustomSources = String.Join(" ", ContentDeliveryNetwork.Google.Domain, ContentDeliveryNetwork.Microsoft.Domain, "localhost:*") to script-src

(replace localhost with a domain where applicable)

... typical, fixing shortly after asking for help. However, I'm glad I did, because otherwise everyone else will have this problem, too.

In the script-src filter, adding this is also recommended:

#if DEBUG
    UnsafeInline = true // DEFAULT = commented
#else
    // UnsafeInline = true // DEFAULT = commented
#endif

It will prevent CSP violations for Glimpse.

[RehanSaeed]

Thanks for raising this.

These CSP violation errors are cause by Visual Studio's browser link feature which runs at http://localhost:[Random Port]. Browser link works by injecting in-line script into your page. There is a comment about it in FilterConfig.cs. In my comment, I suggest either turning off CSP in code (Comment out AddContentSecurityPolicyFilters(filters)), or turning off browser link (Uncheck 'Enable browser link' in Visual Studio). Ideally Microsoft should support CSP, I have raised this on UserVoice.

The above approach works but ideally you should only add localhost:* to the white-list in debug mode (You can use the pre-processor directives you do below). I think your first set of code could be added to the project.

I would be interested to learn of any other reasons for CSP violations occurring, in particular where are you getting "It will prevent CSP violations for Glimpse". One I have noticed that you can ignore is a CSP violation for visiting the Elmah page while having Glimpse turned on.

[RehanSaeed]

After a bit of testing I've found that adding to the script-src and img-src directives is enough to allow browser link:

            filters.Add(
                new CspImgSrcAttribute()
                {
#if DEBUG
                    // Allow Browser Link to work in debug mode only.
                    CustomSources = string.Join(" ", "data:"),
#else
                    // Allow images from example.com.
                    // CustomSources = "*.example.com",
#endif
                    // Allow images from the same domain.
                    Self = true,
                });
            filters.Add(
                new CspScriptSrcAttribute()
                {
                    // Allow scripts from the CDN's.
                    CustomSources = string.Join(
                        " ",
#if DEBUG
                        // Allow Browser Link to work in debug mode only.
                        "localhost:*",
#endif
                        ContentDeliveryNetwork.Google.Domain, 
                        ContentDeliveryNetwork.Microsoft.Domain),
                    // Allow scripts from the same domain.
                    Self = true,
                    // Allow the use of the eval() method to create code from strings. This is unsafe and can open your 
                    // site up to XSS vulnerabilities.
                    // UnsafeEval = true,
                    // Allow in-line JavaScript, this is unsafe and can open your site up to XSS vulnerabilities.
                    // UnsafeInline = true
                });

I'd be interested to know why you needed the extra directives. Thanks!

[RehanSaeed]

This is a difficult one.

For MVC 6 I have asked that CSP be taken into consideration for Browser Link. If it could return the URL it is using, then that would solve all problems as we could add it to the white-list. No NWebSec for MVC 6 yet though anyway.

For MVC 5, I I have made the above fix for the next version.