Add Custom Headers

jsb 2020-06-06 00:42:21 UTC #1

Trying add a custom header "Content Security Policy" to the IIS to mitigate the risk of content injection vulnerabilities such as cross-site scripting. When adding e-junkie as an allowed script to run on my server the cart links now opens up into a new browser window instead of the normal popup overlay. Any insight would be appreciated.

<httpProtocol>
<customHeaders>
<clear />
<add name="X-Frame-Options" value="sameorigin" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Content-Security-Policy" value="script-src 'self' *.e-junkie.com *.unpkg.com *.fatfreecartpro.com;" />
</customHeaders>
<httpProtocol>

jsb 2020-06-06 15:44:24 UTC #2

Figured it out. To allow inline scripts and inline event handlers, 'unsafe-inline', a nonce-source or a hash-source that matches the inline block needed to be specified.

sprudio 2020-06-12 21:01:32 UTC #3

Can you please post here the new script you are using? The one that you just figure out. Thank you.

SOLUTIONS FEATURES PRICING DISCOVER PRODUCTS CONTACT HELP DOCS DASHBOARD

Forum

E-junkie Community Forum

Share and learn in the E-junkie community.