'Script missing when implementing NetEscapades.AspNetCore.SecurityHeaders
I have implemented CSP and CORS when doing so my external script is not rendering on the page.
builder.Services.AddCors(options =>
{
options.AddPolicy(name: MyAllowSpecificOrigins,
builder =>
{
builder.WithOrigins("cloudflare.com", "goadopt.io").SetIsOriginAllowedToAllowWildcardSubdomains();
builder.WithHeaders(HeaderNames.ContentType, HeaderNames.Accept);
builder.WithMethods("GET", "OPTIONS", "POST", "HEAD", "PUT");
});
});
var policyCollection = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365) // maxage = one year in seconds
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.RemoveServerHeader()
.AddContentSecurityPolicy(builder =>
{
builder.AddUpgradeInsecureRequests();
builder.AddBlockAllMixedContent();
builder.AddDefaultSrc().Self();
builder.AddObjectSrc().Self();
builder.AddFormAction().Self();
builder.AddFrameAncestors().Self();
builder.AddScriptSrc().WithNonce();
})
.AddCrossOriginOpenerPolicy(builder =>
{
builder.SameOrigin();
})
.AddCrossOriginEmbedderPolicy(builder =>
{
builder.UnsafeNone();
})
.AddCrossOriginResourcePolicy(builder =>
{
builder.CrossOrigin();
});
Which applies the noonce nicely so I know that is working:
<script src="//tag.goadopt.io/injector.js?website_code=e1735....3d561393" class="adopt-injector" nonce="zTYQYLvI6vAq8P3EXkq7XIFIQsEHrOWAgGLy5xSj9E8="></script>
However the script does not execute. What do I need to update or what am I missing?
This is the newtork tab and has a 200 code.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|