Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2121
Views
0
Helpful
5
Replies

Content Security Policy for OWA/ECP with DUO for OWA installed?

Ken Stieers
VIP
VIP

‎10-15-2021 11:36 AM

Hey all…
Anyone deploying Content Security Policies for OWA and ECP, while also using DUO?

Any pointers? I tried adding “frame-src ■■■■■■■■■■■■■■■■■■■■■■■■■” and that broke things… I suspect that there’s a bunch of other framing going on in OWA/ECP that I’m missing.

Ken

Labels:
0 Helpful
5 Replies 5

Tony_B
Level 1
Level 1

‎10-31-2021 06:23 PM

ECP has errors, Exchange ActiveSync won’t allow new devices.

Something like those kind of errors?

0 Helpful

Ken Stieers
VIP
VIP
In response to Tony_B

‎11-01-2021 12:17 PM

I know ECP had issues, things not filling in completely on the screen.
We pulled it pretty quickly so as to get our admin back up and working.

0 Helpful

aleg
Level 1
Level 1

‎02-15-2023 06:24 PM

Content-Security-Policy
default-src ‘self’ hxxps://api-12345678.duosecurity[.]com hxxps://.microsoft.com hxxps://.sharepointonline.com data: ‘unsafe-inline’; script-src ‘self’ hxxps://.microsoft.com hxxxps://.sharepointonline.com ‘unsafe-inline’ ‘unsafe-eval’; img-src data: hxxps:;

0 Helpful

aleg
Level 1
Level 1
In response to aleg

‎02-15-2023 06:33 PM

Permissions-Policy
fullscreen=()

Referrer-Policy
strict-origin-when-cross-origin

Strict-Transport-Security
max-age=31536000; includeSubdomains

X-Content-Type-Options
nosniff

X-Powered-By
ASP[.]NET

0 Helpful

aleg
Level 1
Level 1
In response to aleg

‎02-20-2023 11:26 AM

Had to remove the X-Content-Type-Options header. Initially, had no problems. Now, it is impacting ECP pages to have that. Unfortunatley, there is only one value, so it’s on or off.

It might be possible to add this back to the OWA page to remove the red flag. But with or without, the site would still get an “A” grade from SecurityHeaders[.]com.

Leaving it off for now. Currently running:

Content-Security-Policy
default-src ‘self’ hxxps://api-123456789.duosecurity[.]com https://*.microsoft[.]com https://*.sharepointonline[.]com data: ‘unsafe-inline’; script-src ‘self’ https://*.microsoft[.]com https://*.sharepointonline[.]com ‘unsafe-inline’ ‘unsafe-eval’; img-src data: https:;

Permissions-Policy
fullscreen=()

Referrer-Policy
strict-origin-when-cross-origin

Strict-Transport-Security
max-age=31536000; includeSubdomains

X-Powered-By
ASP[.]NET

Is anyone else having problems?

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents