Aktualisiere CSP zur Unterstützung von PSPDFKit durch Aktivierung von unsafe-inline, unsafe-eval, Blob-URLs und Anpassung verschiedener Quellrichtlinien.

EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml

@@ -69,7 +69,7 @@
 
     var envelopeKey = ViewData["EnvelopeKey"] as string;
 
-    <script nonce="@nonce">
+<script nonce="@nonce">
     var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
     var byteCharacters = atob(base64String);
     var byteNumbers = new Array(byteCharacters.length);
@@ -83,6 +83,6 @@
         const app = new App("#app", "@envelopeKey.TrySanitize(_sanitizer)", @Html.Raw(envelopeReceiverJson.TrySanitize(_sanitizer)), documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
         await app.init();
     })
-    </script>
+</script>
 }
 <div id='app'></div>

EnvelopeGenerator.Web/appsettings.json

@@ -19,17 +19,18 @@
   },
   "PSPDFKitLicenseKey": null,
   /* The first format parameter {0} will be replaced by the nonce value. */
-  "TestCSP": false,
+  "TestCSP": true,
   "Content-Security-Policy": [
     "default-src 'self'",
-    "script-src 'self' 'nonce-{0}'",
-    "style-src 'self' 'nonce-{0}'",
-    "img-src 'self' data: https:",
+    "script-src 'self' 'nonce-{0}' 'unsafe-inline' 'unsafe-eval' blob: data:",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https: blob:",
     "font-src 'self'",
-    "connect-src 'self' http://localhost:* https://localhost:* ws://localhost:* wss://localhost:*",
+    "connect-src 'self' http://localhost:* https://localhost:* ws://localhost:* wss://localhost:* blob:",
     "frame-src 'self'",
     "media-src 'self'",
-    "object-src 'self'"
+    "object-src 'self'",
+    "worker-src 'self' blob: data:"
   ],
   "AdminPassword": "dd",
   "AllowedOrigins": [ "https://localhost:7202", "https://digitale.unterschrift.wisag.de/" ],