CSP headers and Content Hub

Created: 27 Apr 2020, last update: 12 Sep 2020

CSP headers and Content Hub

CSP headers, Sitecore Content Hub, custom modules, Sitecore has broken after changing Content-Security-Policy.

Sitecore 9.3 comes out of the box met Content Security Policy (CSP) headers.

https://kb.sitecore.net/articles/464569

CSP is an added layer of security that helps to mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

In short, it tells the web browser what is allowed, and what is allowed per domain. it is configured for all urls below /Sitecore. So out of the box it is for the CMS, not your (public) website. The config is in the web. config

This is the vanilla configuration for Sitecore 9.3:

<location path="sitecore">
    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <remove name="X-Content-Type-Options"/>
          <remove name="X-XSS-Protection"/>
          <remove name="Content-Security-Policy"/>
          <add name="X-XSS-Protection" value="1; mode=block"/>
          <add name="X-Content-Type-Options" value="nosniff "/>
          <add name="Content-Security-Policy"
            value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://apps.sitecore.net; 
img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self'
 'unsafe-inline' https://fonts.gstatic.com; upgrade-insecure-requests; block-all-mixed-content;"/>
        </customHeaders>
      </httpProtocol>
    </system.webServer>
</location>   

If you connect to DAM system or you have made some custom stuff in your Sitecore that need some external resource. You need to modify the Content-Security-Policy setting.

Example of CSP for Sitecore with Sitecore Content Hub.

<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://apps.sitecore.net; img-src 'self' data https://stockpick.stylelabsdev.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' 'unsafe-inline' https://fonts.gstatic.com; upgrade-insecure-requests; block-all-mixed-content; child-src 'self' https://stockpick.stylelabsdev.com/; connect-src 'self' https://stockpick.stylelabsdev.com/;" />

If you copy the sample from the Sitecore Connect for Sitecore DAM™ 2.0 installation PDF, the sign (-) can be lost and the words are join, 'unsafe-eval'  become 'unsafeeval' and 'unsafe-inline' become 'unsafeinline'

The invalid CSP look like this:

<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafeeval' https://apps.sitecore.net; img-src 'self' data https://content-hub-url.io/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' 'unsafeinline' https://fonts.gstatic.com; upgrade-insecure-requests; block-all-mixed-content; child-src 'self' https://content-hub-url.io/; connect-src 'self' https://content-huburl.io/;" />

This result in the below errors in the browser console:

Content Security Policy: The page’s settings blocked the loading of a resource at https://sc93identityserver.dev.local/favicon.ico ("default-src"). FaviconLoader.jsm:165:19
Content Security Policy: Couldn’t parse invalid host 'unsafeeval'
Content Security Policy: Couldn’t parse invalid host 'unsafeinline'
This page uses the non standard property "zoom". Consider using calc() in the relevant property values, or using "transform" along with "transform-origin: 0 0". default.aspx
Content Security Policy: Couldn’t parse invalid host 'unsafeeval'
Content Security Policy: Couldn’t parse invalid host 'unsafeinline'
: EvalError: call to eval() blocked by CSP jsnlog.js:528:23
EvalError: call to eval() blocked by CSP Sitecore.js:794:18
Content Security Policy: The page’s settings blocked the loading of a resource at eval ("default-src"). Sitecore.js:794:17

End if you try to open a page in the Content editor you get an error like this:

Multiple controls with the same ID 'FContentB092BDBC8A18440F89EBFE641B65BC05' were found. FindControl requires that controls have unique IDs.

If you have this after installing and configuring the Sitecore Connect for Sitecore DAM on your Sitecore 9.3 or higher check your Content-Security-Policy in the web.config