APIM Management Content Security Policy Settings are not working as expected

Question

I have APIM management with lot of APIs are imported and working. I published APIM developer portal with content security policy settings to allow only trusted resources. Since then I am unable to execute any APIs from developer portal which I am able to do it previously with Disabled CSP settings.

I tried different options but still getting blocked. I publish every time I change settings. Can some one help me in this

content-src 'self' https://contoso-apim.developer.azure-api.net

connect-src 'self';

From web browser, console log:

Answer 1

I have Enabled Content Security Policy and have added the below lines in allowed resources Hostname.

script-src 'self' https://****.developer.azure-api.net https://*****.azure-api.net 'unsafe-inline' 'unsafe-eval';

Post making the changes, I have published the developer portal. Then I am testing the Echo API using APIM developer portal and got the expected response.

Answer 2

You have included ...-apim.developer.azure-api.net in your CSP while the violation is on ...-apim.azure-api.net. You might need to include the host name with and without developer to cover all environments or make them environment specific.

Also note that the way you are configuring your sources, img-src ends up as a source for default-src, not as a separate directive, it should be preceded by a semicolon.