NetEscapades.AspNetCore.SecurityHeaders icon indicating copy to clipboard operation
NetEscapades.AspNetCore.SecurityHeaders copied to clipboard

Published 20 hours ago verified publisher icon andrewlock

asp-fallback-test & nonce attribute

Open panosru opened this issue 5 years ago • 2 comments

Having checked the issue #19, which is kind of related to this, I wonder if there is a solution since a couple of years passed already.

The problem:

Having this:

<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM"
    asp-fallback-src="~/js/bootstrap.min.js"
    asp-fallback-test="window.jQuery && window.jQuery.fn && window.jQuery.fn.modal"
    crossorigin="anonymous" asp-add-nonce="true"></script>

Will generate this:

<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" 
        integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" 
        crossorigin="anonymous" nonce="x&#x2B;2R9PRWupQLWDUYp1vp3uGsAMPpOIouI2TfKcZdVxQ="></script>
<script>(window.jQuery && window.jQuery.fn && window.jQuery.fn.modal||document.write("\u003Cscript src=\u0022/js/bootstrap.min.js\u0022 crossorigin=\u0022anonymous\u0022\u003E\u003C/script\u003E"));</script>

Which will result into this: image

Obviously the solution could be to ignore asp-fallback-* attributes and implement that by yourself, but I was wondering if there is a way for asp-fallback-test script that is generated to have nonce attribute when AddScriptSrc().WithNonce() is present.

Thank you!

panosru avatar Dec 22 '19 12:12 panosru

I've ran into the same issue, did you find a way to resolve this?

daver77 avatar Jan 22 '24 15:01 daver77

Is there any work-around?

vels-sonata avatar Jun 28 '24 13:06 vels-sonata

Just doing some clean up - the error message shown in Chrome these days describes exactly how to solve this issue, for example:

localhost/:71 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src * 'unsafe-hashes' 'sha384-8rXLW+9xortkwE6EZZ2vFX6/pkMSnhGytMGtkdyw4cuEndt+7uT70P1VnoQlY7Iv' 'sha256-Oro8tit8euyKzxqyJteBRTdQBlipvXGQWfS5epMHmUU=' 'sha512-HnGUfKliB0oTvZVr9fYpO/V/gyg+u/jT+Q/L7WHk1xELKUC3/G4WMgAn4o8vTe8oP2iGU2RbNmbLOA5lvlNb8w==' 'nonce-mGy5D9l/wgcBFk0iRhSJymrdsYefemaRd8GOsxmaYwc='". Either the 'unsafe-inline' keyword, a hash ('sha256-Xk8CbH6X+kVRWJ8BE8WjdPt/rw5f9By2EdfMbkChAkU='), or a nonce ('nonce-...') is required to enable inline execution.

Unfortunately, as the script element is auto-generated by a different tag helper, it's not easy for the library to automatically add the hash of the script or nonce to the element. The simplest option is to grab the hash it mentions and manually add that to your CSP e.g.:

var policyCollection = new HeaderPolicyCollection()
    .AddContentSecurityPolicy(builder =>
    {
        builder.AddScriptSrc().From("*")
          .WithHashTagHelper()
          .WithNonce()
          .UnsafeHashes()
          .WithHash256("j/kWZ/y+DZQOTLHQxWwAAu/hg+GGWVXxmPixUq26wnc=") // Allow the jquery asp-fallback-test script element
          .WithHash256("Xk8CbH6X+kVRWJ8BE8WjdPt/rw5f9By2EdfMbkChAkU="); // Allow the bootstrap asp-fallback-test script element

Note that the actual hash you need will vary based on the generated code, which in turn varies on any attributes you add to your scripts etc.

I added a working example of this to the demo site in #170

andrewlock avatar Aug 26 '24 08:08 andrewlock