1

I am currently trying to load an external plugin into an application that is deployed on IIS.

I am getting this error:

Refused to load the script 'https://cdn.babylonjs.com/loaders/babylon.glTFFileLoader.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'nonce-DAIQxlrJrGSnAtLW'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

How can I edit the CSP of the website on IIS to allow only this script to be loaded ?

The following is the current CSP configs I found in the web.config file of the site:

<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<httpProtocol>
  <customHeaders>
    <clear />
    <add name="X-Frame-Options" value="SAMEORIGIN" />
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Referrer-Policy" value="no-referrer" />
    <add name="X-XSS-Protection" value="1; mode=block" />
  </customHeaders>
</httpProtocol>

If that's not the solution, how can resolve this issue ?

Lex Li
  • 1,235
  • 8
  • 10
Samir Kassem
  • 11
  • 2
  • There are no CSP headers defined in that web.config file. They may be defined elsewhere, such as in an intermediate proxy (if the website isn’t directly accessible from the user). – Greg W Jul 19 '23 at 10:38
  • Fair enough, if i wanted to define CSP headers in order to this, how is that done? I have tried adding them in the web.config but that seemed to just create more CSP issues for files that were working before... – Samir Kassem Jul 19 '23 at 12:02
  • welcome please read [ask] the question does neither show the config nor related configuration not even how does the server gets in touch with this request. ;) – djdomi Jul 19 '23 at 16:51

0 Answers0