问题
I am wondering if it's possible to modify the Content-Security-Policy header that is set under <customHeaders> within web.config.
I would like to inject a nonce value if possible. I am currently doing this but I need to remove the header from web.config entirely and add it via Application_BeginRequest()
I have poked around global.asax to grab the header. It doesn't seem exist at this point in the pipe line. I can only assume it is injected later on?
<customHeaders>
<add name="Content-Security-Policy" value="myCsp nonce-{injectMe}" />
</customHeaders>
// would like to do something akin to this:
protected void Application_BeginRequest()
{
var nonce = 'myNonce';
Response.Headers["Content-Security.Policy"] =
Response.Headers["Content-Security.Policy"].Replace("{injectMe}", nonce);
}
The goal being to keep the CSP within web.config and not having to rebuild when changing it.
Is this possible at all?
回答1:
I believe what you're looking for is Context.Response.Headers["Content-Security.Policy"].Replace("{injectMe}", nonce);
This should grab the current Context of the request being initiated, if I'm correct.
来源:https://stackoverflow.com/questions/57976967/is-it-possible-to-edit-the-custom-content-security-policy-header-set-by-iis-we