Editing Content Security Policy in IIS to allow a CDN script to be loaded

Samir Kassem

7/19/24, 7:26 AM

I am currently trying to load an external plugin into an application that is deployed on IIS.

I am getting this error:

Refused to load the script 'https://cdn.babylonjs.com/loaders/babylon.glTFFileLoader.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'nonce-DAIQxlrJrGSnAtLW'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

How can I edit the CSP of the website on IIS to allow only this script to be loaded ?

The following is the current CSP configs I found in the web.config file of the site:

<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<httpProtocol>
  <customHeaders>
    <clear />
    <add name="X-Frame-Options" value="SAMEORIGIN" />
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Referrer-Policy" value="no-referrer" />
    <add name="X-XSS-Protection" value="1; mode=block" />
  </customHeaders>
</httpProtocol>

If that's not the solution, how can resolve this issue ?

0 + 3

iis

cdn

content-security-policy

Greg W

7/19/24, 10:38 AM

There are no CSP headers defined in that web.config file. They may be defined elsewhere, such as in an intermediate proxy (if the website isn’t directly accessible from the user).

Samir Kassem

7/19/24, 12:02 PM

Fair enough, if i wanted to define CSP headers in order to this, how is that done? I have tried adding them in the web.config but that seemed to just create more CSP issues for files that were working before...

djdomi

7/19/24, 4:51 PM

welcome please read [ask] the question does neither show the config nor related configuration not even how does the server gets in touch with this request. ;)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Editing Content Security Policy in IIS to allow a CDN script to be loaded

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.