PageBuilder Content Security Policy

Mark Elliott asked on March 10, 2022 18:32

When modifying the Content Security Policy to add script-src 'self' this causes page builder not to load with an error: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".

Any idea on how I can add dynamic nonce id or hash id generated by my MVC web app on inline script and styles included by Kentico components?

Recent Answers


Dmitry Bastron answered on March 11, 2022 05:38

Hi Mark,

I assume you are adding this header via config. I'd probably suggest an alternative solution - add this header via the code and apply condition like: if (preview or page builder) - don't add this header.

1 votesVote for this answer Mark as a Correct answer

Mark Elliott answered on March 11, 2022 16:54

Hi Dmitry,

Thanks for the response. I can certainly try that approach. I'm not sure though that we won't get dinged on the next security audit for those pages where the header is missing.

0 votesVote for this answer Mark as a Correct answer

Dmitry Bastron answered on March 21, 2022 06:24

Hi Mark,

It shouldn't be an issue, because from the security scan perspective this software will always be scanning live site, not preview or page builder URLs so you should be safe.

0 votesVote for this answer Mark as a Correct answer

Mark Elliott answered on March 31, 2022 22:37

Hi Dmitry,

In trying that approach: bool isEdit = HttpContext.Current.Kentico().PageBuilder().EditMode; I get...

The page builder feature is not enabled. You need to call the 'UsePageBuilder()' method of the Kentico.Web.Mvc.ApplicationBuilder instance at the start of your application's life cycle

page builder is enabled in Application_Start so I'm not sure what the issue is.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.