Today we will remove Content Security Policy (CSP) header from pages hosted in web view. Technically it doesn’t matter which web view you use (whether it is IE, dotnetbrowser, CEF or whatever else). It all goes down to the same: we need to modify the server response.
We need to setup a web proxy handling whole communication. This requires trusting some self-signed certificate (most likely) to decrypt HTTPS traffic.
I will use Titanium-Web-Proxy version 3.0.684. Download the package using NuGet and then use this code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
private void StartProxy() { var proxyServer = new ProxyServer(); proxyServer.CertificateManager.TrustRootCertificate(true); proxyServer.BeforeResponse += async (s, e) => { var headers = e.WebSession.Response.Headers; headers.RemoveHeader("Content-Security-Policy"); }; proxyServer.ServerCertificateValidationCallback += (s, e) => { e.IsValid = true; return Task.FromResult(0); }; var explicitEndPoint = new ExplicitProxyEndPoint(IPAddress.Any, 55666, true); proxyServer.AddEndPoint(explicitEndPoint); proxyServer.Start(); } |
First, we trust the root certificate. On first start of application we will see a dialog whether to install the certificate or not. Obviously, we need to do that.
Next, for each response we check headers and remove CSP header.
Finally, we accept all certificates for servers.
Then, we create an endpoint on port 55666 and we are done. Now, you just need to configure proxy for your web view and you are good to go. For instance, for dotnetbrowser do this:
1 2 3 |
var proxyRules = "http=127.0.0.1:55666;https=127.0.0.1:55666;"; var exceptions = "<local>"; FleepBrowser.Browser.Context.ProxyConfig = new CustomProxyConfig(proxyRules, exceptions); |
And you are done.
Warning: obviously trusting all certificates is something you shouldn’t do in production. Think twice what you need to do in your situation and don’t blindly copy the code from this page!