In an AngularJS application we are loading SSRS reports through Report Viewer control in aspx page(loaded in iframe) of ASP.NET. Version of Report viewer assemblies is 8.0. When the report is rendered on the browser as HTML I can see that
- All the styles are inline
- There is no type attribute(example type=text/JavaScript) to few script files.
Both the above issues are not Content Security Policy compliant. Hence causing many errors in browser developer tools when the report is loaded on the AngularJS application with in CSP report only mode HTTP header is added.
After investigation I have noticed that when the aspx page is processed at the server side and send the response back to browser as HTML, SSRS Report Viewer control is converted as ReportViewerWebControl.axd file which is referred as script in aspx file html response. I can see many axd related HTTP calls for the report to load completely in the browser.
Now I need to fix the CSP errors in the html response created by aspx file as well as axd files.
While debugging I am able to intercept/hit the HTML response generated by aspx file using below method in code behind(aspx.cs) file
protected override void Render(HtmlTextWriter Writer)
{
}
For intercepting HTML response created by ReportViewerWebControl.axd control, I have created httpmodule as below.
private void OnReleaseRequestState(object sender, EventArgs e)
{
}
But with above module code I am able to intercept/hit only ReportViewerWebControl.axd related HTTP calls with OpType=Resource at the server side with debugging. For example, I am able to intercept/hit the call http://localhost/Reserved.ReportViewerWebControl.axdReportViewerWebControl.axd?OpType=Resource (example gif files) while debugging. These calls not have any HTML response
But I am not able to intercept/hit ReportViewerWebControl.axd related HTTP calls with OpType=DocMapReport and OpType=ReportArea which actually generating HTML response that is not CSP compliant. Precisely I am unable to intercept/hit below http calls during debugging 1.http://localhost/Reserved.Reserved.ReportViewerWebControl.axd?OpType=DocMapReport 2.http://localhost/Reserved.ReportViewerWebControl.axd?ReportSession=XXXXX&OpType=ReportArea
As I am not able to intercept the response I am not able to perform CSP remediation. Please advise on how to access these axd file related http calls at the server side so that I can access their HTML response for further processing