Add CSP at the website level (#2863)

2026-01-06 07:34:26 +01:00 · 2021-09-09 21:51:28 +09:00
parent c39f1341aa
commit fc4e47cec6
9 changed files with 224 additions and 90 deletions
--- a/BTCPayServer/Hosting/Startup.cs
+++ b/BTCPayServer/Hosting/Startup.cs
@@ -114,14 +114,8 @@ namespace BTCPayServer.Hosting
                o.Filters.Add(new XXSSProtectionAttribute());
                o.Filters.Add(new ReferrerPolicyAttribute("same-origin"));
                o.ModelBinderProviders.Insert(0, new ModelBinders.DefaultModelBinderProvider());
-                //o.Filters.Add(new ContentSecurityPolicyAttribute()
-                //{
-                //    FontSrc = "'self' https://fonts.gstatic.com/",
-                //    ImgSrc = "'self' data:",
-                //    DefaultSrc = "'none'",
-                //    StyleSrc = "'self' 'unsafe-inline'",
-                //    ScriptSrc = "'self' 'unsafe-inline'"
-                //});
+                if (!Configuration.GetOrDefault<bool>("nocsp", false))
+                    o.Filters.Add(new ContentSecurityPolicyAttribute(CSPTemplate.AntiXSS));
        })
            .ConfigureApiBehaviorOptions(options =>
            {