Default Content-Security-Policy ASP MVC

2
votes

I noticed a Content-Security-Policy header in a ASP MVC 5 project I was working on and was wondering where the default value comes from?

I've searched web.config and applicationhost.config for Content-Security-Policy and for the value: 'default-src 'self' 'unsafe-eval' 'unsafe-inline' data:;connect-src *;report-uri /csp-report-endpoint/', but no results in the project itself.

Does anyone know where the value comes from?

1
asp.net-mvccontent-security-policy

1 Answers

0
votes

Maybe it comes from server setting? In my taken over project, the problem happens too. After I check the codes and the difference between production version and test version, I found the test version doesn't response a CSP header but the production dose. I confirm the server manager and know that it caused by server environment setting.