科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>c# - Content Security Policy (CSP) in ASP.NET MVC Application - Invalid Nonce Error - Stack Overflow

    c# - Content Security Policy (CSP) in ASP.NET MVC Application - Invalid Nonce Error - Stack Overflow

    programmeradmin5浏览0评论

    enter image description here

    I'm implementing a Content Security Policy (CSP) in my ASP.NET MVC application to enhance security, but I'm encountering issues with the nonce setup leading to multiple errors in the console. Here’s what I have done so far and the errors I’ve received.

    Code Snippets In my Global.asax.cs file, I have the following methods to generate a nonce and set the CSP header:

     protected void Application_BeginRequest(object sender, EventArgs e)
{
    Response.Clear();
    HttpContext.Current.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
    var nonce = Convert.ToBase64String(Guid.NewGuid().ToByteArray()).TrimEnd('=');
    HttpContext.Current.Items["CSPNonce"] = nonce;
}

protected void Application_EndRequest(Object sender, EventArgs e)
{
    if (!Request.IsLocal)
    {
        foreach (string cookie in Response.Cookies.AllKeys)
        {
            if (cookie.Equals(FormsAuthentication.FormsCookieName) || cookie != null)
            {
                var httpCookie = Response.Cookies[cookie];
                if (httpCookie != null)
                {
                    httpCookie.Secure = true;
                    httpCookie.HttpOnly = true;
                    httpCookie.SameSite = SameSiteMode.Lax;
                }
            }
        }
    }

    var nonce = HttpContext.Current.Items["CSPNonce"] as string;

    if (!string.IsNullOrEmpty(nonce))
    {
        // Construct the CSP header
        var cspHeader = "default-src 'self'; " +
                        "script-src 'self' 'unsafe-inline' 'nonce-{CSPNonce}'; " +
                        "style-src 'self' 'unsafe-inline' 'nonce-{CSPNonce}'; " +
                        "img-src 'self' 'nonce-{CSPNonce}' data: blob:; " +
                        "frame-ancestors 'none'; object-src 'none';";

        // Replace the nonce placeholder with the actual nonce value
        cspHeader = cspHeader.Replace("{CSPNonce}", nonce);

        HttpContext.Current.Response.Headers["Content-Security-Policy"] = cspHeader;
    }
}

    Error Messages After implementing the above code, I am consistently receiving the following errors in the browser console:

    bash Copy code

    The source list for the Content Security Policy directive 'script-src' contains an invalid source: ''nonce-{CSPNonce}''. It will be ignored.
The source list for the Content Security Policy directive 'style-src' contains an invalid source: ''nonce-{CSPNonce}''. It will be ignored.
The source list for the Content Security Policy directive 'img-src' contains an invalid source: ''nonce-{CSPNonce}''. It will be ignored.

    What I’ve Tried Ensured that I am correctly generating the nonce. Checked to replace {CSPNonce} with the actual generated nonce in the CSP header. Using nonces in inline scripts and styles in my Razor views as follows:

       @{
    var nonce = HttpContext.Current.Items["CSPNonce"] as string;
}
<script nonce="@nonce">
    // Your script here
</script>
<style nonce="@nonce">
    /* Your style here */
</style>

    Despite these efforts, the console still reports that the nonce is not being recognized. Questions What am I missing in the nonce replacement process? How can I correctly implement CSP with nonce values? Are there any additional considerations or best practices I should follow when setting up CSP in an ASP.NET MVC application? Thank you for your help!

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论