Blog Post

IIS Support Blog
1 MIN READ

Content Security Vulnerability in ASP.NET(WebForms)

PradeepSharma's avatar
PradeepSharma
Icon for Microsoft rankMicrosoft
Nov 28, 2023

Issue : While implementing CSP(content security policy) in ASP.NET WEB Forms, few of the scripts are not working on the UI or application does not behave normally.

 

Cause: unsafe-inline and unsafe-eval were not included in CSP Settings for ASP.NET Webforms.

 

Solution

There’s no way for a webforms app to run with a CSP without allowing unsafe-inline on scripts, styles and, probably unsafe-eval on either or both, depending on 3rd party controls, and arguable once you start allowing unsafe-inline on scripts, well, content security policy is frankly neutered at that point.

 

As webforms is considered complete, with no new features being added this isn’t going to change. To gain a modicum of control over the html output you really need to move to MVC

 

Workaround :

 <add name="Content-Security-Policy" value="default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" />

Updated Oct 11, 2023
Version 1.0

1 Comment

  • Venugopals's avatar
    Venugopals
    Copper Contributor
    Nov 05, 2025

    Hi Pradeep,

    Thank you for sharing details.

    We have an ASP.NET application with above settings. Our PT team highlighted that these settings are vulnerable.

    Below controls are in place and would like to know whether this is sufficient so that it is not exploitable.

    • XSS protection enabled
    • Access control allow origin
    • Strict Transport security HSTS enabled
    • X frame options set to same origin
    • Other CSP settings like scriptsrc, stylesrc with only specific domain
    • Additional controls in place like WAF controls to protect from DDoS, network protocol and volumetric attacks, Application layer attacks.

     

    Regards
    Venugopal