Duende Software
CSP Sandbox Warning #489
-
|
Hey there! The default CSP in the samples includes the sandbox directive along with attributes allow-scripts and allow-same-origin. This configuration generates a warning in the browser. This can be seen at your demo IdentityServer site when attempting to access a page that requires login.
Is there a safe way to suppress this warning? Is it safe to remove the sandbox directive altogether if we've implemented a more comprehensive CSP? For example, implementing default-src, script-src, style-src, object-src, base-uri, frame-ancestors, etc? Thanks for your guidance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Thanks for reporting! We made a PR to update the CSP (DuendeSoftware/demo.duendesoftware.com#45) for fonts (and deployed). As for the sandbox attribute, this is probably defined too wide for the entire IdentityServer deployment here. Looking at why it was originally added was to enable front-channel logout on the It's safe to remove this directive in your own app altogether, as you suggest, but may be worth adding origins for your logout pages if front-channel logout is needed there. |
Beta Was this translation helpful? Give feedback.
Thanks for reporting! We made a PR to update the CSP (DuendeSoftware/demo.duendesoftware.com#45) for fonts (and deployed).
As for the sandbox attribute, this is probably defined too wide for the entire IdentityServer deployment here. Looking at why it was originally added was to enable front-channel logout on the
Logout.cshtml/LoggedOut.cshtml, where external IdP's logout page can render an iframe.It's safe to remove this directive in your own app altogether, as you suggest, but may be worth adding origins for your logout pages if front-channel logout is needed there.