Share via

Unsafe-inline and unsafe-eval

Venugopal 20 Reputation points
2025-11-05T09:40:09.7266667+00:00

Hi All,

We have an application developed in ASP.NET (.NET Framework 4.6.2). Understand from the below article that we need unsafe-inline and unsafe-eval settings in order to run the application.

https://techcommunity.microsoft.com/blog/iis-support-blog/content-security-vulnerability-in-asp-netwebforms/3951304

Our PT team highlighted that these are vulnerable configurations.

Below controls are in place on our end and would like to know whether this is sufficient so that it is not exploitable.

  • XSS protection enabled
  • Access control allow origin
  • Strict Transport security HSTS enabled
  • X frame options set to same origin
  • Other CSP settings like scriptsrc, stylesrc with only specific domain
  • Additional controls in place like WAF controls to protect from DDoS, network protocol and volumetric attacks, Application layer attacks.

Need your help to suggest on this. Thank you.

Regards

Venugopal

Developer technologies | ASP.NET | Other
Answer accepted by question author
  1. Gade Harika (INFOSYS LIMITED) 1,945 Reputation points Microsoft External Staff
    2025-11-06T10:11:49.4266667+00:00

    Thanks for reaching out.
    You are correct that the article mentions adding unsafe-inline and unsafe-eval in the Content Security Policy (CSP) for ASP.NET WebForms applications to function properly. However, these directives significantly weaken CSP and are considered vulnerable because they allow inline scripts and dynamic code execution, which can lead to XSS attacks.

    Why this happens

    • ASP.NET WebForms uses inline JavaScript for features like __doPostBack and client-side validation.
    • CSP blocks inline scripts unless unsafe-inline or a nonce/hash is used.
    • Adding unsafe-inline and unsafe-eval bypasses CSP protections.
    1. Avoid unsafe-inline and unsafe-eval if possible Instead, use nonce-based or hash-based CSP for inline scripts: Content-Security-Policy: script-src 'self' 'nonce-<random>' https://trusted.cdn.com; Update your app to inject nonces for inline scripts. Upgrade or Refactor Consider upgrading to ASP.NET Core or refactor inline scripts into external files to remove the need for unsafe directives. Defense-in-Depth Controls The controls you listed (HSTS, X-Frame-Options, WAF, domain-restricted CSP) are good additional layers, but they do not fully mitigate XSS risk if unsafe-inline is present.
    2. Validate and Encode Ensure proper input validation and output encoding throughout the application.

    References

    • Content Security Policy (CSP) Best Practices
    • Microsoft Guidance on ASP.NET WebForms CSP.

    Let me know if the issue persists after following these steps. I’ll be happy to assist further if needed. If the issue has been resolved, Kindly mark the provided solution as "Accept Answer", so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 81,971 Reputation points Volunteer Moderator
    2025-11-05T18:01:56.36+00:00

    special care is required if you use HtmlHelper.Raw().

    note: you can have all these default safeguards, but you must verify your code does not allow exploits. this means validating all post back values. always verify the user has access to to a data fetched by key.

    0 comments
  2. Venugopal 20 Reputation points
    2025-11-15T13:55:01.16+00:00

    Hi Gade Harika,

    Thank you for the suggestion. We will try with the recommended approach and let you know if any further clarification required.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.