Aktualisiere CSP zur Unterstützung von PSPDFKit durch Aktivierung von unsafe-inline, unsafe-eval, Blob-URLs und Anpassung verschiedener Quellrichtlinien.

2024-05-16 11:11:40 +02:00 · 2024-05-16 11:11:40 +02:00 · 81220ac9b4
commit 81220ac9b4
parent d7252ce888
2 changed files with 21 additions and 20 deletions
--- a/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
@ -69,20 +69,20 @@

    var envelopeKey = ViewData["EnvelopeKey"] as string;

-    <script nonce="@nonce">
-        var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
-        var byteCharacters = atob(base64String);
-        var byteNumbers = new Array(byteCharacters.length);
-        for (var i = 0; i < byteCharacters.length; i++) {
-            byteNumbers[i] = byteCharacters.charCodeAt(i);
-        }
-        var byteArray = new Uint8Array(byteNumbers);
-        var documentArrayBuffer = byteArray.buffer;
+<script nonce="@nonce">
+    var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
+    var byteCharacters = atob(base64String);
+    var byteNumbers = new Array(byteCharacters.length);
+    for (var i = 0; i < byteCharacters.length; i++) {
+        byteNumbers[i] = byteCharacters.charCodeAt(i);
+    }
+    var byteArray = new Uint8Array(byteNumbers);
+    var documentArrayBuffer = byteArray.buffer;

-        document.addEventListener("DOMContentLoaded", async () => {
-            const app = new App("#app", "@envelopeKey.TrySanitize(_sanitizer)", @Html.Raw(envelopeReceiverJson.TrySanitize(_sanitizer)), documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
-            await app.init();
-        })
-    </script>
+    document.addEventListener("DOMContentLoaded", async () => {
+        const app = new App("#app", "@envelopeKey.TrySanitize(_sanitizer)", @Html.Raw(envelopeReceiverJson.TrySanitize(_sanitizer)), documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
+        await app.init();
+    })
+</script>
 }
 <div id='app'></div>
--- a/EnvelopeGenerator.Web/appsettings.json
+++ b/EnvelopeGenerator.Web/appsettings.json
@ -19,17 +19,18 @@
  },
  "PSPDFKitLicenseKey": null,
  /* The first format parameter {0} will be replaced by the nonce value. */
-  "TestCSP": false,
+  "TestCSP": true,
  "Content-Security-Policy": [
    "default-src 'self'",
-    "script-src 'self' 'nonce-{0}'",
-    "style-src 'self' 'nonce-{0}'",
-    "img-src 'self' data: https:",
+    "script-src 'self' 'nonce-{0}' 'unsafe-inline' 'unsafe-eval' blob: data:",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https: blob:",
    "font-src 'self'",
-    "connect-src 'self' http://localhost:* https://localhost:* ws://localhost:* wss://localhost:*",
+    "connect-src 'self' http://localhost:* https://localhost:* ws://localhost:* wss://localhost:* blob:",
    "frame-src 'self'",
    "media-src 'self'",
-    "object-src 'self'"
+    "object-src 'self'",
+    "worker-src 'self' blob: data:"
  ],
  "AdminPassword": "dd",
  "AllowedOrigins": [ "https://localhost:7202", "https://digitale.unterschrift.wisag.de/" ],