Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Application Security and Data Safety > Security Considerations > Content Security Policy (CSP) in XAF Web Forms Apps
All docs
V23.2
.NET 6.0+
XAF: Cross-Platform .NET App UI & Web API
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Application Security and Data Safety
Security (Access Control & Authentication)
Security Considerations
General Security Considerations
Content Security Policy (CSP) in XAF Blazor Apps
Content Security Policy (CSP) in XAF Web Forms Apps
Audit Trail (History of Data Changes)
Multi-Tenancy (Data per Tenant)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Accessibility Support
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Content Security Policy (CSP) in XAF Web Forms Apps

  • 2 minutes to read

Content Security Policy (CSP) is a built-in browser mechanism that helps you protect your web application against certain types of attacks, such as Cross-Site Scripting (XSS), clickjacking, and data injection. CSP is supported in most modern browsers, including Chrome, Edge, Firefox, Opera, Safari, and mobile browsers.

To enable CSP protection, specify a Content-Security-Policy header or use the <meta> tag and explicitly define allowed functions using CSP directives.

Since XAF Web Forms applications are based on ASP.NET Web Forms Controls, the following directives are required. These directives allow ASP.NET Web Forms controls to function correctly.

  1. script-src 'unsafe-inline' – Initializes JavaScript instances of a control using inline script blocks.

  2. script-src 'unsafe-eval' – Allows controls to evaluate scripts on callback requests.

  3. img-src data: – Allows controls to use data images.

  4. style-src 'unsafe-inline' – Allows controls to initialize inline styles.

Apply these directives in the <head> section of Default.aspx and Login.aspx files of your XAF Web Forms application, as shown below:

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy" 
          content="default-src 'self';
          script-src 'unsafe-inline' 'unsafe-eval' 'self';
          style-src 'unsafe-inline' 'self';
          img-src 'self' data:" />
    <!--...-->
</head>

For more information on each directive, refer to the following section: Content-Security-Policy: Directives.

Map Module

If you use the Maps Module, list the following directives in the <head> section of Default.aspx and Login.aspx files. These directives extend exceptions with Google resources (including scripts and styles) so that Google Maps can work correctly.

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy" 
          content="default-src 'self' https://*.googleapis.com/ https://*.gstatic.com;
          script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*.googleapis.com/ https://*.gstatic.com;
          style-src 'unsafe-inline' 'self' https://*.googleapis.com/ https://*.gstatic.com;
          img-src 'self' data: https://*.googleapis.com/ https://*.gstatic.com;" />
    <!--...-->
</head>
See Also