Editing Content Security Policy in IIS to allow a CDN script to be loaded

Question

I am currently trying to load an external plugin into an application that is deployed on IIS.

<script src="https://cdn.babylonjs.com/loaders/babylon.glTFFileLoader.js"></script>

I am getting this error:

Refused to load the script 'https://cdn.babylonjs.com/loaders/babylon.glTFFileLoader.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'nonce-DAIQxlrJrGSnAtLW'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

How can I edit the CSP of the website on IIS to allow only this script to be loaded ?

The following is the current CSP configs I found in the web.config file of the site:

<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<httpProtocol>
  <customHeaders>
    <clear />
    <add name="X-Frame-Options" value="SAMEORIGIN" />
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Referrer-Policy" value="no-referrer" />
    <add name="X-XSS-Protection" value="1; mode=block" />
  </customHeaders>
</httpProtocol>

If that's not the solution, how can resolve this issue ?

The best thing to do would be to replace this event handler with a proper one written in your JS file. — samwu, Jul 17 '23 at 09:25

Editing Content Security Policy in IIS to allow a CDN script to be loaded

0 Answers0