question

SamoSimoni-8322 avatar image
0 Votes"
SamoSimoni-8322 asked ajkuma-MSFT commented

Problem with Content Security Policy on App Service

We are hosting WordPress on the App Service. We would like to have google analytics but it seems that the default Content Security Policy on App Service blocks the google analytics request. We get the following error:

Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=UA-14354' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline' .msecnd.net .google.com *.gstatic.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Can someone tell me where I can change Content Security Policy on App Service? I was trying to add the following code

<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';"/>
</customHeaders>
</httpProtocol>

in web.confing file via Kudo but every time I get the following error:

The page cannot be displayed because an internal server error has occurred.

I will appreciate for help.

Samo

azure-webapps-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Samo, While I'm checking on this internally, could you try these flow:

It could be either added as part of web.config or application code

 <system.webServer>
  <httpProtocol>
      <customHeaders>
      <add name="Content-Security-Policy" value="default-src 'self'" />
      </customHeaders>
  </httpProtocol>
 </system.webServer>    

In your case: <add name="Content-Security-Policy" value="default-src 'self';"/>
Test it out 1: <add name="Content-Security-Policy" value="default-src 'self'`" />`
Test it out 2: <add name="Content-Security-Policy" value="`default-src 'self';" />`

Kindly let us know, I'll follow-up with you on this further.

0 Votes 0 ·

0 Answers