10-15-2021 11:36 AM
Hey all…
Anyone deploying Content Security Policies for OWA and ECP, while also using DUO?
Any pointers? I tried adding “frame-src ■■■■■■■■■■■■■■■■■■■■■■■■■” and that broke things… I suspect that there’s a bunch of other framing going on in OWA/ECP that I’m missing.
Ken
10-31-2021 06:23 PM
ECP has errors, Exchange ActiveSync won’t allow new devices.
Something like those kind of errors?
11-01-2021 12:17 PM
I know ECP had issues, things not filling in completely on the screen.
We pulled it pretty quickly so as to get our admin back up and working.
02-15-2023 06:24 PM
Content-Security-Policy
default-src ‘self’ hxxps://api-12345678.duosecurity[.]com hxxps://.microsoft.com hxxps://.sharepointonline.com data: ‘unsafe-inline’; script-src ‘self’ hxxps://.microsoft.com hxxxps://.sharepointonline.com ‘unsafe-inline’ ‘unsafe-eval’; img-src data: hxxps:;
02-15-2023 06:33 PM
Permissions-Policy
fullscreen=()
Referrer-Policy
strict-origin-when-cross-origin
Strict-Transport-Security
max-age=31536000; includeSubdomains
X-Content-Type-Options
nosniff
X-Powered-By
ASP[.]NET
02-20-2023 11:26 AM
Had to remove the X-Content-Type-Options header. Initially, had no problems. Now, it is impacting ECP pages to have that. Unfortunatley, there is only one value, so it’s on or off.
It might be possible to add this back to the OWA page to remove the red flag. But with or without, the site would still get an “A” grade from SecurityHeaders[.]com.
Leaving it off for now. Currently running:
Content-Security-Policy
default-src ‘self’ hxxps://api-123456789.duosecurity[.]com https://*.microsoft[.]com https://*.sharepointonline[.]com data: ‘unsafe-inline’; script-src ‘self’ https://*.microsoft[.]com https://*.sharepointonline[.]com ‘unsafe-inline’ ‘unsafe-eval’; img-src data: https:;
Permissions-Policy
fullscreen=()
Referrer-Policy
strict-origin-when-cross-origin
Strict-Transport-Security
max-age=31536000; includeSubdomains
X-Powered-By
ASP[.]NET
Is anyone else having problems?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide