CSP header syntax reference

When configuring the trusted sources security policy for your ASP.NET Core Renderer, you can granularly define the Content-Security-Policy HTTP response header for different types of content. The value of the Content-Security-Policy contains one or more directives that define the valid sources for each type of content. The value of each directive can also contain specific keywords which enable you to fine-tune the behavior of the directive by matching or excluding certain conditions – like building a powerful regular expression.  These keywords are known as a source list.

The following table provides a reference of the supported source list values:

Source Value

Description

*

Wildcard, allows any URL except data: blob: filesystem: schemes.

'none'

Prevents loading resources from any source.

'self'

Allows loading resources from the same origin (same scheme, host and port).

data:

Allows loading resources via the data scheme (for example Base64 encoded images).

domain.example.com

Allows loading resources from the specified domain name.

*.example.com

Allows loading resources from any subdomain under example.com.

https://cdn.com

Allows loading resources only over HTTPS matching the given domain.

https:

Allows loading resources only over HTTPS on any domain.

'unsafe-inline'

Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to) and javascript: URIs

'unsafe-eval'

Allows unsafe dynamic code evaluation such as JavaScript eval()

'nonce-'

Allows script or style tag to execute if the nonce attribute value matches the header value. For example:<script nonce="2726c7f26c">alert("hello");</script>

'sha256-'

Allow a specific script or style to execute if it matches the hash. Doesn't work for javascript:URIs. For example: sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=will allowalert('Hello, world.');

NOTE: Multiple source list values can be space separated except for 'none' which should be the only value.

Content-Security-Policy Examples

Below you can find examples on how to configure your Sitefinity CMS Content-Security-Policy HTTP header for some common scenarios:

Allow everything but only from the same origin
Put 'self' in Trusted sources for… -> Any content.

Only Allow Scripts from the same origin
Put 'self' in Trusted sources for… ->  Scripts.

Allow Google Analytics, Google AJAX CDN and Same Origin
Put 'self' www.google-analytics.com ajax.googleapis.com
in Configure Trusted sources for… -> Any content.

Default Policy

Projects created with Sitefinity CMS version 11.0 and later come with a pre-configured trusted sources policy. The default values for the Content-Security-Policy HTTP response header include the sources required by Sitefinity CMS to operate normally. You can customize the policy to suit you need. Be aware that removing any of the default sources might result in abnormal behavior of Sitefinity CMS. 

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?