Skip to main content
All docs
V24.2

Content Security Policy (CSP) in XAF Web Forms Apps

  • 2 minutes to read

Content Security Policy (CSP) is a built-in browser mechanism that helps you protect your web application against certain types of attacks, such as Cross-Site Scripting (XSS), clickjacking, and data injection. CSP is supported in most modern browsers, including Chrome, Edge, Firefox, Opera, Safari, and mobile browsers.

To enable CSP protection, specify a Content-Security-Policy header or use the <meta> tag and explicitly define allowed functions using CSP directives.

Since XAF Web Forms applications are based on ASP.NET Web Forms Controls, the following directives are required. These directives allow ASP.NET Web Forms controls to function correctly.

  1. script-src 'unsafe-inline' – Initializes JavaScript instances of a control using inline script blocks.

  2. script-src 'unsafe-eval' – Allows controls to evaluate scripts on callback requests.

  3. img-src data: – Allows controls to use data images.

  4. style-src 'unsafe-inline' – Allows controls to initialize inline styles.

Apply these directives in the <head> section of Default.aspx and Login.aspx files of your XAF Web Forms application, as shown below:

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy" 
          content="default-src 'self';
          script-src 'unsafe-inline' 'unsafe-eval' 'self';
          style-src 'unsafe-inline' 'self';
          img-src 'self' data:" />
    <!--...-->
</head>

For more information on each directive, refer to the following section: Content-Security-Policy: Directives.

Map Module

If you use the Maps Module, list the following directives in the <head> section of Default.aspx and Login.aspx files. These directives extend exceptions with Google resources (including scripts and styles) so that Google Maps can work correctly.

<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy" 
          content="default-src 'self' https://*.googleapis.com/ https://*.gstatic.com;
          script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*.googleapis.com/ https://*.gstatic.com;
          style-src 'unsafe-inline' 'self' https://*.googleapis.com/ https://*.gstatic.com;
          img-src 'self' data: https://*.googleapis.com/ https://*.gstatic.com;" />
    <!--...-->
</head>
See Also