Sitecore 9+ has added the Content Security Policy custom header in the web.config and this will block any API calls to other domains.
Open web.config and look for customHeaders
<configuration>
<location path="sitecore">
<system.webServer>
<httpProtocol>
<customHeaders>
<httpProtocol>
<customHeaders>
<remove name="X-Content-Type-Options"/>
<remove name="X-XSS-Protection"/>
<remove name="Content-Security-Policy"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff "/>
<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://apps.sitecore.net; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' 'unsafe-inline' https://fonts.gstatic.com; upgrade-insecure-requests; block-all-mixed-content;"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
</configuration>
Now lets add other domain https://mydomain.com in CSP.
<configuration>
<location path="sitecore">
<system.webServer>
<httpProtocol>
<customHeaders>
<httpProtocol>
<customHeaders>
<remove name="X-Content-Type-Options"/>
<remove name="X-XSS-Protection"/>
<remove name="Content-Security-Policy"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff "/>
<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://apps.sitecore.net https://mydomain.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' 'unsafe-inline' https://fonts.gstatic.com; upgrade-insecure-requests; block-all-mixed-content;"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
</configuration>
No comments:
Post a Comment