Product: PowerShell Universal
Version: 5.5.3
Following Hosting | PowerShell Universal I have setup the following Response Headers:
{
"Kestrel" : {
"Headers": {
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"Content-Security-Policy": "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;",
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff",
"Referrer-Policy": "origin-when-cross-origin"
}
}
}
These settings work fine for my apps, but this will lock me out of my admin-portal. To allow access again I need to add script-src 'self' 'unsafe-inline' to the Content-Security-Policy, which circumvents most of the security added by applying this setting.
Is there a way to make this work without allowing unsafe inline scripts?