Ignore CSP in CMS Edit Pages

[Harambear]

Hello,

I thought I read that CMS edit pages (authenticated) would ignore the CSP settings, but it doesn't seem to be behaving this way.

I tried looking up the documentation that stated it, but couldn't find it.

Anyone can point me to how to set it up so CSP isn't applied to the authenticated CMS edit pages?

Thank you!

[GeekInTheNorth]

Hello @Harambear

In the recent CMS 13 release as Stott Security v7, I introduced the ability to vary your headers by Site/Application and by Host Name.

If you have a separate Edit host from your primary host then you can set the headers differently between the front end and back end.

I'm working of applying this to what will be Stott Security v6 for CMS 12.

In the meantime there is an option to disable nonce and hashes for the CMS backend in the startup.cs service extensions that should be covered in the readme.md.

I've also previously responded with a solution previously which was a custom middleware that removes the CSP on certain paths.

[Harambear]

Hello,

Thank you for the reply. I did find the exclusion section in the readme and confirmed that certain paths should be ignored for CSP.

I think my issue is that the CSP is being evaluated on these paths. For CMS 12, the authenticated URL's reflect ...../ui/cms... and this path should be ignored when evaluating the CSP, but it is still throwing violations and rejecting scripts from being loaded.

Can you point me to where the middleware solution is posted? I'll try to see if that resolves our issue.

Thank you!

[Harambear]

I found the reply regarding adding a middleware to remove the headers on certain routes after the package middleware has loaded.

I added a middleware to remove the CSP headers to resolve my issue.

Thank you always for your help!

[GeekInTheNorth]

Hello @Harambear

I've started the retrofitting of the new CMS 13 functionality that allows you to vary headers by Global, Application and Host functionality onto the CMS 12 solution. There is a lot of testing involved in getting this to a CMS 12 release. I've added a placeholder ticket here: #369

I'm also thinking I may put a couple of Articles together to support actions like this.