Content Security Policy Tag Helpers
Lib.AspNetCore.Mvc.Security provides Tag Helpers for script
and style
elements which can be used together with SecurityHeadersMiddleware
for genetaring nonce and digest (hash) sources for inline elements.
Configuration of SecurityHeadersMiddleware
is a required prerequisite as it injects IContentSecurityPolicyInlineExecutionFeature
which Tag Helpers rely on.
public void Configure(IApplicationBuilder app)
{
...
app.UseSecurityHeaders(builder =>
{
builder.WithCsp(
...,
scriptInlineExecution: ContentSecurityPolicyInlineExecution.Hash,
styleInlineExecution: ContentSecurityPolicyInlineExecution.Hash
)
...;
});
...
}
The Tag Helpers target csp-script
and csp-style
elements, or script
and style
elements with asp-csp
attribute.
<!DOCTYPE html>
<html lang="en">
<head>
...
<style asp-csp="cache">
...
</style>
</head>
<body>
...
<script asp-csp>
...
</script>
</body>
</html>
Depending on which option has been set for inline execution the Tag Helpers will either add the nonce
attribute to the element or calculate the hash and add it to header value.
In case of hashes, if the content of element is static, there is an option of caching the calculated hash. In order to opt in for hash to be cached the asp-csp
attribute value should be set to cache
.
<script asp-csp="cache">
...
</script>