Adding directly to the CSP sources from controller about lib.aspnetcore.security HOT 7 CLOSED

Hi,

As you have already noticed there is no way to achieve this without some changes. I need to think about an API, probably it will be best to expose it directly on IContentSecurityPolicyInlineExecutionFeature without introducing additional components, something like this:

public IActionResult DynamicContnt()
{
    string scriptContent = "{window.top.location.href = \" Request.Scheme}://{Request.Host}/Error/Index\"}";

    IContentSecurityPolicyInlineExecutionFeature cspFeature = HttpContext.Features.Get<IContentSecurityPolicyInlineExecutionFeature>();
    cspFeature.ComputeAndAddScriptHash(scriptContent);

    return Content($"<html><script>{scriptContent}</script><body></body></html>");
}

It feels to me a little bit better and doesn't require consumer to have dependencies on both libraries (but I would still like to give it a thought).

from lib.aspnetcore.security.

Hi thanks for the Reply,

Yes reason I put it in a new api is so that it could be stubbed for unit testing and if it was used in a service class or something outside of the controller. But it would take some configuration In startup.cs

Your solution would work for my requirement though and then could wrap up httpcontext.features.get

let me know if I can help further :-)

from lib.aspnetcore.security.

We would probably also need to expose a function to get the current nonce so that it can be added to the script tag in the return

from lib.aspnetcore.security.

Yes reason I put it in a new api is so that it could be stubbed for unit testing and if it was used in a service class or something outside of the controller.

That testing argument makes sense, I need to give it some more thought.

We would probably also need to expose a function to get the current nonce so that it can be added to the script tag in the return.

Unless I've misunderstood you, that's already covered by IContentSecurityPolicyInlineExecutionFeature.Nonce, but would to have be exposed in that new API as well if that would end up being the approach.

from lib.aspnetcore.security.

Yes you are right about the nonce, I see now...

Either way you choose, the implementation doesn’t look too difficult, the code is very well structured already :-)

from lib.aspnetcore.security.

Thank you :). If nothing blows up I should have something by the end of weekend.

from lib.aspnetcore.security.

I've decided to stick with feature, as this is related specifically to the processing of the current request.

Service approach would result in either an "extension like" service (totally dependent on passing HttpContext as parameter) or hidden dependency on IHttpContextAccessor. Using IHttpContextAccessor is still an option when access is needed from different context than controller and testability is just an aspect of properly stubbing HttpContext.

from lib.aspnetcore.security.