Need CSP for 404 after all.

Lombiq · Jan 7, 2024 · 4441bf5 · 4441bf5
1 parent a0793b7
commit 4441bf5
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Lombiq.HelpfulLibraries.AspNetCore/Security/ApplicationBuilderExtensions.cs b/Lombiq.HelpfulLibraries.AspNetCore/Security/ApplicationBuilderExtensions.cs
@@ -58,8 +58,8 @@ public static IApplicationBuilder UseContentSecurityPolicyHeader(
 
             context.Response.OnStarting(async () =>
             {
-                // No need to do content security policy on the "Not Found" page or on non-HTML responses.
-                if (context.Response.StatusCode == 404 || !context.Response.ContentType?.ContainsOrdinalIgnoreCase("text/html") == true) return;
+                // No need to do content security policy on non-HTML responses.
+                if (!context.Response.ContentType?.ContainsOrdinalIgnoreCase("text/html") == true) return;
 
                 // The thought behind this provider model is that if you need something else than the default, you should
                 // add a provider that only applies the additional directive on screens where it's actually needed. This way