private void BeginRequest(object sender, EventArgs e) { // Make sure there isn't a content security policy already set. We're not going to override an existing one. if (string.IsNullOrEmpty(HttpContext.Current.Response.Headers["Content-Security-Policy"])) { var response = HttpContext.Current.Response; var csps = SecurityPoliciesCollectionManager.GetPolicies(); if (csps != null && csps.HasPolicies) { foreach (var policy in csps.Policies) { var policyHeader = HttpHelpers.BuildContentSecurityPolicyHeader(policy); if (!string.IsNullOrEmpty(policy.Location)) { if (policy.Location.StartsWith("/")) { if (HttpHelpers.IsFolderRequest(policy.Location)) { if (!string.IsNullOrEmpty(response.Headers["Content-Security-Policy"])) { response.Headers.Remove("Content-Security-Policy"); // This is for internet explorer response.Headers.Remove("X-Content-Security-Policy"); } response.AddHeader("Content-Security-Policy", policyHeader); // This is for internet explorer response.AddHeader("X-Content-Security-Policy", policyHeader); } } else if (policy.Location.StartsWith("http://") || policy.Location.StartsWith("https://")) { if (HttpHelpers.IsDomainRequest(policy.Location)) { if (!string.IsNullOrEmpty(response.Headers["Content-Security-Policy"])) { response.Headers.Remove("Content-Security-Policy"); // This is for internet explorer response.Headers.Remove("X-Content-Security-Policy"); } response.AddHeader("Content-Security-Policy", policyHeader); // This is for internet explorer response.AddHeader("X-Content-Security-Policy", policyHeader); } } } else { response.AddHeader("Content-Security-Policy", policyHeader); // This is for internet explorer response.AddHeader("X-Content-Security-Policy", policyHeader); } } } } }