Only return CSP for document requests · Issue #188 · NWebsec/NWebsec · GitHub
Skip to content

Only return CSP for document requests #188

Description

@carlin-q-scott

I don't believe there's a benefit for returning the CSP for any request other than a document request. From what I can tell, the CSP is returned by all MVC actions and Razor Page handlers. It can be restricted to just document requests using the following middleware code:

bool documentRequest = false;
if (httpContext.Request.Headers.TryGetValue("sec-fetch-dest", out StringValues dest)) documentRequest = dest.Equals("document");
else if (httpContext.Request.Headers.TryGetValue("accept", out StringValues accept)) documentRequest = accept.First().StartsWith("text/html");

The sec-fetch-dest header is implemented in all major browsers except Safari, so that's why there's a fallback to checking the preferred content type requested by the browser. That check isn't as precise because an ajax request for html will match it and not need it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions