Is it possible to add multiple Content Security Policy directive in Asp.net Web.config?

Question

I'm currently applying security measures in our Asp.net applications and had to solved a few issues like x-frame-options but had a difficulties on how to add multiple Content Security Policy directives.

I've searched a lot and haven't found exactly solution on how to add multiple CSP directives in web.config but only through code like blog.simontimms.com.

Currently this is the CSP I have :

<httpProtocol>
  <customHeaders>
    <clear />
    <add name="X-Frame-Options" value="ALLOW-FROM http://subdomain.domain.com" />
    <add name="Content-Security-Policy" value="frame-ancestors http://subdomain.domain.com" />
  </customHeaders>
</httpProtocol>

My question is how to add multiple Content Security Policy directives in Asp.net web.config? I tried configuration below delimited by semi colon but it doesn't work :(

<add name="Content-Security-Policy" value="frame-ancestors http://subdomain.domain.com; img-src *; " />

Update:

I think the above code was the right syntax for adding multiple directive. I only missed 'self' right after frame-ancestors that cause an error on run-time that makes me think that it was wrong at first.

Additional information:

If you ran some issues where in you have a lot of sub-domain you can put wildcard '*' on it like :

<add name="Content-Security-Policy" value="frame-ancestors 'self' http://*.domain.com; img-src *; " />

Answer 1

You may want to use NWebsec. Please look at following example from Troy Hunt.(http://www.troyhunt.com/2015/05/implementing-content-security-policy.html)

 <content-Security-Policy enabled="true">
  <default-src self="true" />
  <script-src unsafeInline="true" unsafeEval="true" self="true">
    <add source="https://www.google.com" />
    <add source="https://www.google-analytics.com" />
    <add source="https://cdnjs.cloudflare.com" />
  </script-src>
  <style-src unsafeInline="true" self="true">
    <add source="https://cdnjs.cloudflare.com"/>
  </style-src>
  <img-src self="true">
    <add source="https://az594751.vo.msecnd.net"/>
    <add source="https://www.google.com"/>
    <add source="https://www.google-analytics.com" />
  </img-src>
  <font-src>
    <add source="https://cdnjs.cloudflare.com"/>
  </font-src>
  <object-src none="false" />
  <media-src none="false" />
  <frame-src none="false" />
  <connect-src none="false" />
  <frame-ancestors none="false" />
  <report-uri enableBuiltinHandler="true"/>
</content-Security-Policy>

NWebsec is an easy to use security library for ASP.NET applications. With a few lines of config it lets you set important security headers, detect potentially dangerous redirects, control cache headers, and remove version headers. See project website for documentation.

I believe it's capable to add multi line of CSP rules.

https://www.nuget.org/packages/NWebsec