aspnetcore-security-headers icon indicating copy to clipboard operation
aspnetcore-security-headers copied to clipboard

Published 20 hours ago verified publisher icon juunas11

Using SHA. How do I use it?

Open gatecrasher63 opened this issue 1 year ago • 4 comments

gatecrasher63 avatar Mar 09 '23 18:03 gatecrasher63

I have an issue with inline styles using MTCaptcha in an IFrame. I am getting loads of errors from the browser, refused to allow inline style

I can specify unsafe-inline but I don't want to. Using Nonce doesn't help

The error shows me an SHA value and I am being told to specify that

Can I do that on some way. I was looking for something along the lines of ".Allow("SHA....") but there doesn't seem to be an option. How would I go about doing this?

gatecrasher63 avatar Mar 09 '23 18:03 gatecrasher63

This might not be possible at the moment. An update could be made that would allow something like:

csp.AllowStyles.WithHash("sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=");

or in configuration:

{
  "Csp": {
    "Style": {
       "AllowedHashes": [
         "sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc="
       ]
    }
  }
}

juunas11 avatar May 24 '23 05:05 juunas11

@juunas11 i have created a PR for this issue.

gps-lasrol avatar Sep 12 '23 15:09 gps-lasrol

The PR has been merged. I was already working on a 5.0.0 version and included the changes in that. It should be available on Nuget soon.

juunas11 avatar Sep 13 '23 07:09 juunas11