Feedback
Did this article resolve your question/issue?

   

Article

Sitefinity backend stopped working after changing Content-Security-Policy header

« Go Back

Information

 
TitleSitefinity backend stopped working after changing Content-Security-Policy header
URL Namecontent-security-policy-http-header
Article Number000131036
EnvironmentProduct: Sitefinity
Version: 8.x, 9.x, 10.x, 11.x, 12.x, 13.x
OS: All supported OS versions
Database: All supported Microsoft SQL Server versions
Question/Problem Description
When setting the Content-Security-Policy HTTP header, Sitefinity's backend stopped working, issuing some errors in the JavaScript console.
Unable to login to Sitefinity due to " because it violates the following Content Security Policy directive " error.
Steps to Reproduce
Clarifying Information
Error MessageUncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script

Refused to connect to 'http://*****/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration'; because it violates the following Content Security Policy directive:
Defect/Enhancement Number
Cause
The Sitefinity backend relies on JQuery UI, which is using the eval() JavaScript function. As a result, unsafe-eval and unsafe-inline must be enabled.
The Content-Security-Policy (CSP) header must be updated to allow domains from which external resources are to be loaded or from which login to the site is to be allowed.
Resolution
Update the CSP header directive that is reported missing/faulty in the error message.

Make sure that 'unsafe-inline' and 'unsafe-eval' are allowed in the Content-Security-Policy HTTP header value, e.g.
default-src 'unsafe-inline' 'unsafe-eval' 'self' data: http://ajax.googleapis.com http://fonts.googleapis.com http://fonts.gstatic.com

Refused to connect to ' http://*****/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration' (http://%2A%2A%2A%2A%2A/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration') ; because it violates the following Content Security Policy directive: "connect-src 'self' accounts.google.com (http://accounts.google.com/https://*.insight.sitefinity.com (https://%2A.insight.sitefinity.com/https://*.dec.sitefinity.com (https://%2A.dec.sitefinity.com/) *. mktoresp.com (http://mktoresp.com/) ".

mentions Content Security Policy (CSP) this is a browser header which lists all domains that are whitelisted to be accessible on a site. If the current domain name used to browse the site is not the one in the whitelist the CSP header will make the browser stop serving any page where the CSP header is present. Details on the CSP https://content-security-policy.com/

The CSP header comes as part of Sitefinity`s Web Security module. If the site is ran on localhost there is no need to do whitelist on domains, but for other domains or advanced network setups where the is accessible trough reverse proxy (which seems to be the problem here) all domains at which the site runs must be included.
To update the CSP header based on the error message go to Administration -> Settings -> Advanced -> Web Security -> HttpSecurityHeaders ->Response Headers -> Content Security Policy and update the header value in the section "connect-src" and append the URLs at which the site runs e.g.

connect-src 'self' www.site.com (http://www.site.comwww.server1.com (http://www.server1.comaccounts.google.com etc...

Paste the updated header value and save, the setting is applied immediately. Note if the site runs under reverse proxy make sure to add domain names trough which the site gets proxied.
Workaround
Notes
Last Modified Date12/21/2020 11:55 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.