Menu
While implementing the CSP header on my website, I am facing problems with the automatically generated postback JavaScript that webforms adds to the page:
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
To support some other inline script tags I have successfully added the nonce attribute; however I can find no way to modify this piece of generated code to do the same thing. I have explored ClientScript.GetPostBackEventReference, but this appears to control the JavaScript within, nothing about the rendering of the <script> tag itself.
The solution does not necessarily need to involve adding the nonce attribute—anything that complies will do. For example, if there is an ASP.NET setting which can be configured to load this script as a file (which I can whitelist), that would be fine.
241
The nonce global attribute is a content attribute defining a cryptographic nonce ("number used once") which can be used by Content Security Policy to determine whether or not a given fetch will be allowed to proceed for a given element.
It allows the list of specific elements such as some specific inline script or style elements. It helps to avoid the use of the CSP unsafe-inline directive that would allow-list all inline styles. For using none, provide the script tag a nonce attribute.
A nonce is a random number used only once per page load. A nonce-based CSP can only mitigate XSS if the nonce value is not guessable by an attacker. A nonce for CSP needs to be: A cryptographically strong random value (ideally 128+ bits in length)
To allow inline scripts and inline event handlers, 'unsafe-inline' , a nonce-source or a hash-source that matches the inline block can be specified. Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384 and sha512.
Good luck implementing a good CSP on ASP.NET with Webforms Scheme - WebForms controls will add a whole bunch of inline scripts like on this login button:
<a id="btnLogin" class="btn btn-info pull-right" href="javascript:__doPostBack('btnLogin','')">Login</a>
If you're not using many <asp:... controls, you might be alright.
To allow the above script you want to run, you can add this to your CSP after script-src:
sha256-uVkxb0ccirYwSBxwdr2/4qtJEH1eBw7MslAgyLdAVVY="
It lets your browser know that it should execute any script that has that sha256 hash.
The hash I've given you may not work if you're using different newlines to what I'm using (which I believe is windows style).
You should also be careful that if you don't have a page which changes the default form id to something other than "form1".
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
