oidc-client-ts
oidc-client-ts copied to clipboard
authts
Having issues with content security management
Hi,
Is there a recommended setup for content security management when using oidc-client-ts? Since converting my app from oidc-client to oidc-client-ts, I've had issues with my token becoming invalid. I suspect an issue with csp. Please let me know what the recommended configuration should be. Below is my CSP where I temporarily commented out ones I thought may be an issue:
app.Use(async (context, next) =>
{
context.Response.Headers.Remove("X-Powered-By");
context.Response.Headers.Remove("X-XSS-Protection");
context.Response.Headers.Add("X-Xss-Protection", "1");
context.Response.Headers.Remove("X-Frame-Options");
context.Response.Headers.Add("X-Frame-Options", "DENY");
context.Response.Headers.Remove("Referrer-Policy");
context.Response.Headers.Add("Referrer-Policy", "no-referrer");
context.Response.Headers.Remove("X-Content-Type-Options");
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Remove("Content-Security-Policy");
context.Response.Headers.Add(
"Content-Security-Policy",
"default-src 'none'; " +
//"trusted-types angular angular#unsafe-bypass; " +
//"require-trusted-types-for 'script'; " +
"img-src 'self' data:; " +
"font-src 'self' data: https://fonts.gstatic.com; " +
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com; " +
$"script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
//$"frame-ancestors 'self'; " +
$"form-action 'self'; " //+
//$"frame-src 'self'; " +
//$"connect-src 'self' ws: {configuration.GetValue
await next();
});
The CSP for your application should allow script execution and connecting to your IDP.
Like:
"script-src 'self',
"connect-src 'self' <url(s) of your IDP>",
"frame-src 'self' <url(s) of your IDP>"
The browser gives you hints about issues with CSP in its console...
