Add Nonce support for other HTML elements that might have an inline style element

[hades200082]

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' *.cloudflare.com *.disquscdn.com *.googleapis.com *.buttercms.com *.googleusercontent.com 'nonce-Tz8sqHeAjtkqmJZxqciT/YJzmu27Nqr7Y2WPwJMT+Cs='". Either the 'unsafe-inline' keyword, a hash ('sha256-U9tCTcgKy8M4xindppgbF+UxDlhaFqd2U2zGu0s19ik='), or a nonce ('nonce-...') is required to enable inline execution.

The Tag Helper doesn't apply the nonce to the following (among others)

<div background-image: url(@Html.GetResizedImageUrl(Model.FeaturedImage, 1200, 250, FitType.Crop));" asp-add-nonce="true"><!-- stuff --></div>

[juunas11]

Thanks for bringing this up, I'll get it fixed up :)

[juunas11]

I'm not sure if Content Security Policy itself allows this. I generated a nonce on a <p> element with an inline style, and it still caused a CSP violation. I think you have to allow inline styles with AllowUnsafeInline.

[hades200082]

It looks like you're correct. That's unfortunate. :(

[juunas11]

Thanks a lot for using the library and taking the time to report this though :)

[hades200082]

No problem - it's a great library.

These might be good options to add too... and very simple :)

context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");