Content-Security-Policy Header

As of version 1.51.0 a Content-Security-Policy Header is applied to all responses returned by The Identity Hub; and as of version 1.68.0 the CSP is even more restricting.
The returned CSP header will allow the required (external) sources applicable to the response.
The CSP header is determined dynamically to be as strict as possible:
E.g. on the self-registration pages a Google Recaptcha is used and thus the related sources are allowed by the CSP header. If a tenant does not allow for registration these sources will not be included.
Also, if the web.config has Google Analytics or Application Insights (by Microsoft) settings configured, the related sources are allowed.

However, for on Premises situations it might be that you need to overrule or extend this (e.g. due to additional external sources which are required for your customized views).
There are 2 ways to do so:

  1. Add a global fixed CSP header via a setting which is applied to all responses
    OR
  2. Configure an optimized CSP header for the particular customized view(s) (preferred method)
Warning

If a global OnPremiseCSPHeader is applied this will get priority over more specific CSP configurations. It is applied to all responses, therefor it is highly recommended to use the second option to get an optimized CSP header.

1. How to apply a fixed CSP header to ALL responses returned by The Identity Hub

As appsetting via the web.config

  1. In the root folder of The Identity Hub installation open your web.config file
  2. Navigate to the section appsettings
  <system.webServer>
    <appSettings>
  1. Add the following setting (minimal, see below for additional sources):
        <add key="OnPremiseCSPHeader" value="default-src 'self';script-src 'self';style-src 'self' https://use.fontawesome.com/ https://fonts.googleapis.com/;img-src 'self' https://* blob:;frame-src 'self';font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;connect-src 'self';frame-ancestors 'none'" />
  1. Complete the different sources with the ones applicable to your customized The Identity Hub instance (see below)
  2. Save your web.config
  3. In case you have multiple instances running, repeat this for all instances*

(*) when run in Azure use the cloud configuration to store the appsetting

As system setting via the database

  1. Decide the CSP header you need by starting from the minimal value:
default-src 'self';script-src 'self';style-src 'self' https://use.fontawesome.com/ https://fonts.googleapis.com/;img-src 'self' https://* blob:;frame-src 'self';font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;connect-src 'self';frame-ancestors 'none'

and adding all required additional sources (see below)
2. In the database configure a system setting OnPremiseCSPHeader with the value you determined

Addtional sources to add

When using Google Analytics

  • Add to the script-src list: " https://*.google-analytics.com/ https://www.googletagmanager.com/"
  • Add to the connect-src list: " https://*.google-analytics.com/"

When using Application Insights

  • Add to the script-src list: " https://az416426.vo.msecnd.net/"
  • Add to the connect-src list: " https://dc.services.visualstudio.com/"

When self-registration is allowed on the username / password account provider (recaptcha)

  • Add to the script-src list: " https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google-analytics.com/"
  • Add to the frame-src list: " https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/"
  • Add to the connect-src list:" https://www.google-analytics.com/"

When you collect geolocation info (bing maps)

  • Add to the script-src list: " 'unsafe-eval' https://*.virtualearth.net https://*.bing.com"
  • Add to the style-src list: " 'unsafe-inline' https://*.virtualearth.net https://*.bing.com"
  • Add to the img-src list: " data: "
  • Add to the font-src list: " data: "
  • Add to the connect-src list: " https://*.virtualearth.net https://*.bing.com"

When all of the above features are enabled within your TIH instance

  • Start with the value and, if applicable, extend with your custom sources
default-src 'self';script-src 'self' 'unsafe-eval' https://*.google-analytics.com/ https://www.googletagmanager.com/ https://az416426.vo.msecnd.net/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://*.virtualearth.net https://*.bing.com;  
style-src 'self' 'unsafe-inline' https://use.fontawesome.com/ https://fonts.googleapis.com/ https://*.virtualearth.net https://*.bing.com;img-src 'self' https://* blob: data:;frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/;  
font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com data:;connect-src 'self' https://*.google-analytics.com/ https://dc.services.visualstudio.com/ https://*.virtualearth.net https://*.bing.com;frame-ancestors 'none'

2. When you have customized TIH Views and prefer an optimized CSP header

The Identity Hub will apply a CSP as strict as possible, which means it does not allow eval for scripts and inline scripts without nonce. It also does not allow inline styles without nonce.
If you have customized a view in such a way that requires you to configure the CSP header in more detail, consider the following guidelines.

Warning

Make sure to leave the default configuration of the views intact.

Preferably you use the HTMLHelper extensions (within namespace U2UConsult.Framework.Web) which let you apply the nonce attribute:

@using U2UConsult.Framework.Web;
...
    <style @Html.StyleNonce()>
        .yourclass {
            ...
        }
    </style>
    ....
    <script @Html.ScriptNonce()>
        ... your script here
    </script>

Or if your customizations require a more detailed update, you can use the following in your custom views or _(parent)layout files:

@using U2UConsult.Framework.Web;
...
@section head {
    @{
        // get access to the CSP configuration
        var context = new U2UConsult.Framework.Web.HttpContextWrapper(Context);
        var config = context.CspConfig();
        
        // if needed update for unsafe script or style 
        config.ScriptSrc.UnsafeEvalSrc = true; // only when eval is used in scripts
        config.StyleSrc.UnsafeInlineSrc = true; // only when inline styles are used in the view
        ...
        // example to add a list of custom sources to a specific source
        config.ScriptSrc.CustomSources.UnionWith(new[]{ "https://kendo.cdn.telerik.com/", "https://code.jquery.com/" });
        ...
        // !!!! do not forget to output the CSP as header
        CspHelper.SetCspHeaders(context); // set the header to the response
    }
}

If you have additional external sources that are common to all your sources, you can add them in one go to all sources like this:

@section head {
    @{
        HubConfiguration.InitializeCSPHeader(new U2UConsult.Framework.Web.HttpContextWrapper(Context), new[]{ "https://kendo.cdn.telerik.com/", "https://code.jquery.com/"});
    }
}

Customizing the look and feel