Open Closed

Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) #9919

User avatar
0
can.ercan created

Hi,

We created a new project. We didn't make any changes.

Angular client returns "Cannot GET /"

In console we get the following error :

Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at http://localhost:4200/favicon.ico because it violates the following directive: “default-src 'none'”

Thanks,

Go to accepted answer
4 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To resolve the Content-Security-Policy (CSP) error blocking image loading (such as favicon.ico) in your ABP Angular project, you need to adjust the CSP headers to allow images from the required sources.

    By default, ABP's Security Header Middleware may set a restrictive CSP like default-src 'none', which blocks all resources unless explicitly allowed. This causes the browser to block images, including the favicon.

    Solution:

    1. Locate the CSP configuration in your server-side (API or host) project. This is typically set in the ConfigureServices or OnApplicationInitialization method, or in the appsettings.json under SecurityHeaders.

    2. Update the CSP to allow images from your domain. For example, in C#:

    app.UseAbpSecurityHeaders(options =>
   {
       options.ContentSecurityPolicy = "default-src 'self'; img-src 'self' data:;";
   });
    • 'self' allows images from the same origin.
    • data: allows inline images (such as base64-encoded favicons).
    1. If you are using appsettings.json for configuration, update the relevant section:
    "SecurityHeaders": {
     "ContentSecurityPolicy": "default-src 'self'; img-src 'self' data:;"
   }
    1. Restart your application after making these changes.

    This will resolve the error and allow the favicon and other images to load.

    Sources:

    • https://abp.io/docs/latest/framework/ui/mvc-razor-pages/security-headers
    • https://abp.io/docs/latest/others/penetration-test-report

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    can.ercan created

    I tried removing app.UseAbpSecurityHeaders();

    I also tried adding the following in ConfigureServices :

    Configure<AbpSecurityHeadersOptions>(options => { options.UseContentSecurityPolicyHeader = true; options.ContentSecurityPolicyValue = "default-src 'self'; img-src 'self' data:;";
    });

    Neither worked.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Have you removed app.UseAbpSecurityHeaders(); from all backend websites?

    Thanks,

  • User Avatar
    0
    can.ercan created

    There is only one backend. I didn't split AuthServer. I removed it from Http.Host module.

Assignee
User avatar maliming
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 22, 2025, 10:12