none
SSRS violation of Content Security Policy RRS feed

  • Question

  • Hello,

    We are using SSRS for quite some time in our WebApplication and we recently have added a Content Security Policy. After few tests we discover some violations of this policy and there seem to be that some of them are coming from those reports.

    More specifically, we recently established a Content Security Policy in Report-Only mode, that means that we get a report of violations without actually blocking any functionality. Our policy indicates that the script-src directive will only allow scripts coming from our application, and looks like this: "script-src: 'self'". What we discovered though is that in the SSRS reports there are some onclick functions such as the ordering in the columns that violate our policy.

    [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-fTHQ5KdQIQVPWF7MdxjWg06laoMcYw4ZwIuZ27lGoDM='), or a nonce ('nonce-...') is required to enable inline execution.

    coming from the ScriptResource.axd:346 after trying to order items of a column.

    // Name:        MicrosoftAjaxWebForms.debug.js
    // Assembly:    System.Web.Extensions
    // Version:     4.0.0.0
    // FileVersion: 4.7.3429.0

    Is there going to be a more CSP friendly way for those onclick functions or any walkaround? Let me know if you need me to provide specific information regarding our problem.

    Regards,
    Petros M.

    Wednesday, November 13, 2019 8:27 AM

All replies

  • Hi Petros,

    Thanks for the post!

    Could you explain this Report Only mode a little bit? This should not be a SSRS official feature?

    Also, what version of SSRS are you using now?

    Regards,

    Lukas


    MSDN Community Support Please remember to click Mark as Answer; the responses that resolved your issue, and to click Unmark as Answer if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, November 14, 2019 6:33 AM