NetZero 8.5 - ASP.NET Core 3.1 Jquery
We are using NWebSec to add Content Security Policy into ASP.NET Zero 8.5. We’re using nonces on all script tags in the application as such (so using the tag helper):
<script nws-csp-add-nonce="true">
We’re getting a CSP error on the administration pages where the modal window is being loaded.
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-LxksDtd8QWExYudx431bw42g' 'unsafe-eval' www.google.com cse.google.com kendo.cdn.telerik.com cdnjs.cloudflare.com cdn.jsdelivr.net *.vimeo.com localhost". Either the 'unsafe-inline' keyword, a hash ('sha256-A89G9Jx+cHr6joI5m9XkZvnSPnz+jSxZZlJRNjwuHqc='), or a nonce ('nonce-...') is required to enable inline execution.
I assume we’re getting this error because the content of the modal (CreateOrEditModal) is loading content dynamically (through Ajax). We have added the following configuration in the Startup for NWebSec:
app.UseHsts(options => options.MaxAge(days: 30)); //app.UseNoCacheHttpHeaders(); //Registered after static files, to set headers only for dynamic content. app.UseRedirectValidation(); //Registered after static files, they don't redirect app.UseReferrerPolicy(options => options.StrictOriginWhenCrossOrigin()); //app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseXContentTypeOptions(); app.UseXDownloadOptions(); app.UseXfo(options => options.SameOrigin()); //app.UseXfo(options => options.Deny()); app.UseXRobotsTag(options => options .NoIndex() .NoFollow() .NoArchive() .NoImageIndex() .NoOdp() .NoSnippet() .NoTranslate() ); app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseCspReportOnly(options => options
.UpgradeInsecureRequests()
.DefaultSources(s => s
.Self()
.CustomSources("data:")
.CustomSources("https:")
)
.FontSources(s => s
.Self()
.CustomSources("fonts.googleapis.com", "*.fontawesome.com", "kendo.cdn.telerik.com", "*.vimeo.com"))
.FormActions(s => s.Self())
.FrameAncestors(s => s.Self())
.FrameSources(s => s
.Self()
.CustomSources("*.youtube.com", "*.vimeo.com", "app.powerbi.com"))
.ImageSources(s => s
.Self()
.CustomSources("kendo.cdn.telerik.com", "*.youtube.com", "*.vimeo.com", "data:"))
.MediaSources(s => s
.Self()
.CustomSources("*.youtube.com", "*.vimeo.com"))
.ScriptSources(s => s
.Self()
.CustomSources("www.google.com", "cse.google.com", "kendo.cdn.telerik.com", "cdnjs.cloudflare.com", "cdn.jsdelivr.net", "*.vimeo.com", "localhost")
.UnsafeEval() //TODO Required for Kendo
)
.StyleSources(s => s
.Self()
.UnsafeInline()
.CustomSources("*.google.com", "fonts.googleapis.com", "kendo.cdn.telerik.com", "cdn.jsdelivr.net", "*.vimeo.com", "*.youtube.com", "shepherdjs.dev/dist/css/shepherd.css"))
);
Is there a way to get around these exceptions as basically, we can’t enable CSP on the application now since it’ll block all admin pages?
