Comments (7)
Hi,
As you have already noticed there is no way to achieve this without some changes. I need to think about an API, probably it will be best to expose it directly on IContentSecurityPolicyInlineExecutionFeature
without introducing additional components, something like this:
public IActionResult DynamicContnt()
{
string scriptContent = "{window.top.location.href = \" Request.Scheme}://{Request.Host}/Error/Index\"}";
IContentSecurityPolicyInlineExecutionFeature cspFeature = HttpContext.Features.Get<IContentSecurityPolicyInlineExecutionFeature>();
cspFeature.ComputeAndAddScriptHash(scriptContent);
return Content($"<html><script>{scriptContent}</script><body></body></html>");
}
It feels to me a little bit better and doesn't require consumer to have dependencies on both libraries (but I would still like to give it a thought).
from lib.aspnetcore.security.
Hi thanks for the Reply,
Yes reason I put it in a new api is so that it could be stubbed for unit testing and if it was used in a service class or something outside of the controller. But it would take some configuration In startup.cs
Your solution would work for my requirement though and then could wrap up httpcontext.features.get
let me know if I can help further :-)
from lib.aspnetcore.security.
We would probably also need to expose a function to get the current nonce so that it can be added to the script tag in the return
from lib.aspnetcore.security.
Yes reason I put it in a new api is so that it could be stubbed for unit testing and if it was used in a service class or something outside of the controller.
That testing argument makes sense, I need to give it some more thought.
We would probably also need to expose a function to get the current nonce so that it can be added to the script tag in the return.
Unless I've misunderstood you, that's already covered by IContentSecurityPolicyInlineExecutionFeature.Nonce
, but would to have be exposed in that new API as well if that would end up being the approach.
from lib.aspnetcore.security.
Yes you are right about the nonce, I see now...
Either way you choose, the implementation doesnโt look too difficult, the code is very well structured already :-)
from lib.aspnetcore.security.
Thank you :). If nothing blows up I should have something by the end of weekend.
from lib.aspnetcore.security.
I've decided to stick with feature, as this is related specifically to the processing of the current request.
Service approach would result in either an "extension like" service (totally dependent on passing HttpContext
as parameter) or hidden dependency on IHttpContextAccessor
. Using IHttpContextAccessor
is still an option when access is needed from different context than controller and testability is just an aspect of properly stubbing HttpContext
.
from lib.aspnetcore.security.
Related Issues (20)
- Add middleware for Content Security Policy reporting
- Add support for Expect-CT header
- Add middleware for Expect-CT reporting
- Would you consider contributing to NWebSec? HOT 2
- Add support for X-Download-Options header
- Add support for X-Permitted-Cross-Domain-Policies header
- Add support for HTTP Public Key Pinning
- Add support for block-all-mixed-content directive in Content Security Policy
- Add support for frame-src directive in Content Security Policy
- Add support for plugin-types directive in Content Security Policy
- Add support for upgrade-insecure-requests in Content Security Policy
- Add support for worker-src directive in Content Security Policy
- Add ContentSecurityPolicySourceListBuilder
- Make nonce-source generation secure
- Add support for SHA384 and SHA512 hash algorithms in Content Security Policy
- Add hashes caching support in Content Security Policy tag helper
- Feedback HOT 4
- Add Support for Permissions Policy and Mark Feature Policy Related APIs as Obsolete
- Add Ability for Providing Conditions for Handling Requests by Content-Security-Policy and Content-Security-Policy-Report-Only Violation Reports Endpoint
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lib.aspnetcore.security.