Content security policy

A Content Security Policy (CSP) prevents cross-site scripting (XSS) attacks by controlling which scripts the browser executes. By default, embedded JavaScripts are disabled when CSP is enabled. This means Optimizely Digital Experience Platform (DXP) and apps that use Client Resources functionality fail to load. Add a nonce to the policy script directive and the script element to re-enable these scripts. See the nonce documentation for background.

ASP.NET does not have a built-in API for CSP. Third-party libraries provide one, and most include an API for nonce generation. However the policy is constructed, the Client Resource feature must know that a nonce is required when rendering script elements. Choose one of the following approaches:

Bring your nonce

Use a third-party library nonce when the CSP library already generates one. Enable the CSP nonce by calling the following in startup and using the library service to retrieve the nonce:

services.AddContentSecurityPolicyNonce(sp => sp.GetRequiredService<IThirPartyNonceProvider>().GetNonce());

Then follow the library recommendation for configuring and rendering the policy.

Use an autogenerated nonce

When no external nonce provider is needed, CMS generates a nonce for each request automatically. Call AddContentSecurityPolicyNonce without arguments:

services.AddContentSecurityPolicyNonce();

Retrieve the generated nonce with ICspNonceService and add it to the script directive in the policy:

private readonly ICspNonceService _nonceService;
var policy = $"default 'self'; script-src 'nonce-{_nonceService.GetNonce()}' 'strict-dynamic'";

📘

Note

In either case, add strict-dynamic to the script directive in the policy for best support.