Menu
I have MVC application developed in ASP.NET 4.5.1. The application is using javascripts in several pages. Some of the javascripts are referenced as
@Scripts.Render("~/Scripts/bootstrap")
@Scripts.Render("~/Scripts/js")
and also there are some inline scripts like
<script type="javascript">
// javascript code
</script>
I want to implement Content Security Policy for this site. The site is hosted in IIS. So in IIS i add content-security-policy header in HTTP Response Header as
object-src 'none';
script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
base-uri 'self';
report-uri https://csp.withgoogle.com/csp/<unique_id>/<application_version>
So every response will include this header.
Questions
1. Should nonce attribute only recommended for inline scripting?
2. How do i add randomly generatednonce into script tags and importantly how IIS would know randomly generated nonce value so it can include in response header? (i am assuming every response will have unique nonce value)
747
The nonce attribute is useful to allow-list specific elements, such as a particular inline script or style elements. It can help you to avoid using the CSP unsafe-inline directive, which would allow-list all inline scripts or styles.
It allows the list of specific elements such as some specific inline script or style elements. It helps to avoid the use of the CSP unsafe-inline directive that would allow-list all inline styles. Usage of nonce attribute.
Once created, nonce words often make their way into common language. For example, Lewis Carroll coined the word "chortle" for the poem Jabberwocky, and James Joyce created the word "quark" for his novel Finnegans Wake.
nonce attribute only used for inline scripts. If you want to take secure your sources from other origins, you can use hash
IIS does not provide nonce generation as default. You need to handle it on the backend.
i. Define a helper to generate a random nonce string, named CreateNonce(). The string length is not so important but you need to be sure it's a unique value. So, if you define a 10-20 length string with alphanumeric characters, it will be okay. You will call this method on your Views, where are your inline scripts. eg: <script <%CreateNonce()%>
When you call this helper, it will return an output that generated nonce value, eg.<script nonce-123abc> and call another helper which is explained on the following step.
ii. Define another helper to create CSP rules to Response Header for inline scripts, named CSPGenerator(). When you call this method, it should create a Content-Security-Policy response header if it does not exist. If the header is exist, it should append the new nonce value to that.
Pseudocode (sorry, I am not an asp.net developer);
Views.cshtml
<script <%CreateNonce()%> >
Helpers.cs
Public CreateNonce(){
generateRandomAlphaNumericChars
CSPGenerator('apply-to-csp-rules:generateRandomAlphaNumericChars')
and response.write generateRandomAlphaNumericChars
}
Public CSPGenerator(str nonce_){
GetHttpResponse[csp],
if null, add new response header,
response.header.append="script-src "+ nonce_
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
