I'm getting the error:
vendor.js:328 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of the script in the following Content Security Policy directive: "script-src 'self' localhost:* ajax.googleapis.com ajax.aspnetcdn.com".
I know I can solve this error by setting UnsafeEval = true,
but this is unsafe and open my site up to XSS vulnerabilities.
Therefore is there a way I can allow some scripts though, also forms when I use AJAX. maybe u guys can give me an example of how to use these methods I'm not quite sure how to do it.
new CspFormActionAttribute()
{
// Allow forms to post back to example.com.
// CustomSources = "*.example.com",
// Allow forms to post back to the same domain.
Self = true
});
new CspChildSrcAttribute()
{
// Allow web workers or embed frames from example.com.
// CustomSources = "*.example.com",
// Allow web workers or embed frames from the same domain.
Self = false
});
// connect-src - This directive restricts which URIs the protected resource can load using script interfaces
// (Ajax Calls and Web Sockets).
filters.Add(
new CspConnectSrcAttribute()
{
// Allow Browser Link to work in debug mode only.
CustomSources = string.Join(" ", "localhost:*", "ws://localhost:*"),
// Allow AJAX and Web Sockets to example.com.
// CustomSources = "*.example.com",
// Allow all AJAX and Web Sockets calls from the same domain.
Self = true
});
