Add support for content security policy

This is a placeholder issue.

Similar to the support that we have for CORS in APIs, we should have support for Content Security Policy to make sites safer by default.
Support for CSP would be policy based, similar to the one we offer for CORS.

# Usage from middleware

```C#
ConfigureServices(IServiceCollection services)
{
    ...
    services.AddCsp();
    ...
}
```

```C#
Configure(IApplicationBuilder app)
{
    ...
    app.UseCsp();
    ...
}
```

# Usage from MVC
```C#
ConfigureServices(IServiceCollection services)
{
    ...
    services.AddMvc(); // Add MVC will call AddCsp similar to what we do for CORS today.
    ...
}
```

```C#
[EnableCsp]
public IActionResult Index()
{
    return View();
}
```

We will provide a default policy that limits content to your domain, defines best practices for HTTPS and will be set to report-only. This behavior can be switched per endpoint so that you can progressively enforce the policy one endpoint at a time.

# References

https://en.wikipedia.org/wiki/Content_Security_Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://www.w3.org/TR/CSP2/

http://caniuse.com/#search=content%20security%20policy


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add support for content security policy #6001

Usage from middleware

Usage from MVC

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add support for content security policy #6001

Description

Usage from middleware

Usage from MVC

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions