Issue
My problem seems fairly simple, and I feel like I'm missing something extremely obvious; but I'm unable to determine why the Nonce attribute on the script elements aren't populating and remaining empty strings instead.
I decided to use the Items collection inside the HttpContext to store the nonce because, from what I can tell, it is per request.
Startup.Configure(IApplicationBuilder app, IHostingEnvironment env)
...
app.Use(async (context, next) => { //CSP
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] nonceBytes = new byte[32];
rng.GetBytes(nonceBytes);
string nonce = Convert.ToBase64String(nonceBytes);
context.Items.Add("ScriptNonce", nonce);
context.Response.Headers.Add("Content-Security-Policy", string.Format(
"default-src 'none'; " +
"script-src 'self' 'unsafe-eval' 'nonce-{0}'; " +
"style-src 'self'; " +
"img-src 'self' data: https:; " +
"base-uri 'self'; " +
"upgrade-insecure-requests; " +
"object-src 'none'; ", nonce));
await next();
});
...
View
...
@section Scripts {
<script src="~/lib/jquery-ajax-unobtrusive/jquery.unobtrusive-ajax.min.js" nonce="@Context.Items["ScriptNonce"]"></script>
<script src="~/js/Views/Admin/users_index.min.js" nonce="@Context.Items["ScriptNonce"]"></script>
}
Result:
The Nonce is generated, it exists in HttpContext.Items, does not populate.
This seems really simple and I'm really confused on why the attributes are not populating. I'm a bit new to web development so any tips in ASP.Net Core 2 would be greatly appreciated, if anything stands out to you.
Answer: First Comment; The nonce was there the entire time, chrome was hiding it.
Solution
Answer: First Comment; The nonce was there the entire time, chrome was hiding it.
Answered By - Gavin
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.