api-management-developer-portal icon indicating copy to clipboard operation
api-management-developer-portal copied to clipboard

Published 20 hours ago verified publisher icon Azure

CSP - script-src-elem violated in self-hosted setup

Open erwinkramer opened this issue 1 year ago • 0 comments

Bug description

CSP will violate on self-hosted, because it cannot run a script that calls back to the portal page.

In a self-hosted setup, you have:

  • a BACKEND, e.g. development.myorg.com - pointing towards the api management resource
  • a FRONTEND, e.g. portal.myorg.com - pointing to your storage account where the portal files are hosted
{
	"csp-report": {
		"document-uri": "https://BACKEND/signin-oauth/implicit/callback",
		"referrer": "https://login.microsoftonline.com/",
		"violated-directive": "script-src-elem",
		"effective-directive": "script-src-elem",
		"original-policy": "default-src 'self' *.WHOLE_ORG; report-uri SOMESITE",
		"disposition": "report",
		"blocked-uri": "inline",
		"line-number": 7,
		"source-file": "https://BACKEND/signin-oauth/implicit/callback",
		"status-code": 200,
		"script-sample": ""
	}
}

A console message looks something like this:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' *.WHOLE_ORG". Either the 'unsafe-inline' keyword, a hash ('sha256-SOMEHASH'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Reproduction steps

  1. Configure CSP in the API Management resource to enabled or report only
  2. Go to an API in the api portal that has implicit auth configured
  3. Call the implicit auth
  4. See it authenticating, but not calling back to the portal

Expected behavior

Should allow calls

Is your portal managed or self-hosted?

Self-hosted

Release tag or commit SHA (if using self-hosted version)

Latest

erwinkramer avatar Aug 25 '23 10:08 erwinkramer