New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CSP hashes #100

Closed
RehanSaeed opened this Issue May 11, 2017 · 11 comments

Comments

Projects
None yet
6 participants
@RehanSaeed
Contributor

RehanSaeed commented May 11, 2017

Here is a really good blog post showing how it can be done.

@MovGP0

This comment has been minimized.

Show comment
Hide comment
@MovGP0

MovGP0 Jul 16, 2017

Currently have the issue that some inline styles are not loading properly besides having the .Self() defined. Support for hashes would solve that problem.

There should be support for unsafe inline, and a hash like hash 'sha256-dnk3F1ZGrgh9Kvk9Vn3ptiaFUoFeGRayv9lz2urXGw8='.

MovGP0 commented Jul 16, 2017

Currently have the issue that some inline styles are not loading properly besides having the .Self() defined. Support for hashes would solve that problem.

There should be support for unsafe inline, and a hash like hash 'sha256-dnk3F1ZGrgh9Kvk9Vn3ptiaFUoFeGRayv9lz2urXGw8='.

@klings

This comment has been minimized.

Show comment
Hide comment
@klings

klings Jul 16, 2017

Member
Member

klings commented Jul 16, 2017

@MovGP0

This comment has been minimized.

Show comment
Hide comment
@MovGP0

MovGP0 Jul 16, 2017

In fact, nonces is what I do. Still would prefer to use hashes instead.

MovGP0 commented Jul 16, 2017

In fact, nonces is what I do. Still would prefer to use hashes instead.

@MovGP0

This comment has been minimized.

Show comment
Hide comment
@MovGP0

MovGP0 Jul 16, 2017

Currently, I use the tag helpers. This gets rid of the browser issues, but it is not something that can be configured centrally and requires the usage of ASP.NET MVC. In other projects, it is more tricky to do that, since there might be no MVC at all.

Maybe there is a solution I have missed?

MovGP0 commented Jul 16, 2017

Currently, I use the tag helpers. This gets rid of the browser issues, but it is not something that can be configured centrally and requires the usage of ASP.NET MVC. In other projects, it is more tricky to do that, since there might be no MVC at all.

Maybe there is a solution I have missed?

@RehanSaeed

This comment has been minimized.

Show comment
Hide comment
@RehanSaeed

RehanSaeed Jul 16, 2017

Contributor

Pages with hashes in them can be cached, while nonces cannot.

Contributor

RehanSaeed commented Jul 16, 2017

Pages with hashes in them can be cached, while nonces cannot.

@MovGP0

This comment has been minimized.

Show comment
Hide comment
@MovGP0

MovGP0 Sep 21, 2017

I have the issue that a page gets generated by a library that I am using and I am unable to put a nonce on it. The current solution is to allow 'unsafe-inline', but would sleep much better with a hash instead, since it's always the same.

MovGP0 commented Sep 21, 2017

I have the issue that a page gets generated by a library that I am using and I am unable to put a nonce on it. The current solution is to allow 'unsafe-inline', but would sleep much better with a hash instead, since it's always the same.

@HugCoder

This comment has been minimized.

Show comment
Hide comment
@HugCoder

HugCoder Oct 25, 2017

This is a big issue right now since many web browsers block inline-scripting as well by ignoring things like safe-inline. How to add hashes to the white list in CustomSources?

I can't find documentation on how to use nonces either, except for using the NWebsec Tag Helpers package.

HugCoder commented Oct 25, 2017

This is a big issue right now since many web browsers block inline-scripting as well by ignoring things like safe-inline. How to add hashes to the white list in CustomSources?

I can't find documentation on how to use nonces either, except for using the NWebsec Tag Helpers package.

@troyhunt

This comment has been minimized.

Show comment
Hide comment
@troyhunt

troyhunt Nov 7, 2017

This seems like a bit of a no-brainer, can you allow a hash as a valid value for a script source? Nonces are a halfway-there approach and they're a good start, but it'd be great if NWebSec enabled a stricter definition of what's allowed to run.

troyhunt commented Nov 7, 2017

This seems like a bit of a no-brainer, can you allow a hash as a valid value for a script source? Nonces are a halfway-there approach and they're a good start, but it'd be great if NWebSec enabled a stricter definition of what's allowed to run.

@klings

This comment has been minimized.

Show comment
Hide comment
@klings

klings Nov 8, 2017

Member
Member

klings commented Nov 8, 2017

@jmaxxz

This comment has been minimized.

Show comment
Hide comment
@jmaxxz

jmaxxz Nov 21, 2017

If one does not have many inline scripts the following workaround can be used:

            app.UseCsp(options => options
                .DefaultSources(s => s.Self())
                .ScriptSources(s =>
                {
                    s.Self().CustomSources("https://example.com/foo/lib.js",
                        "https://www.example.com/bar/lib.js");

                    // Force hashes into custom sources. Can't be done with CustomSources(...)
                    // because CustomSources(...) checks if strings are uris
                    s.CustomSources = s.CustomSources.Concat(new [] { "'sha256-...='"});
                })

jmaxxz commented Nov 21, 2017

If one does not have many inline scripts the following workaround can be used:

            app.UseCsp(options => options
                .DefaultSources(s => s.Self())
                .ScriptSources(s =>
                {
                    s.Self().CustomSources("https://example.com/foo/lib.js",
                        "https://www.example.com/bar/lib.js");

                    // Force hashes into custom sources. Can't be done with CustomSources(...)
                    // because CustomSources(...) checks if strings are uris
                    s.CustomSources = s.CustomSources.Concat(new [] { "'sha256-...='"});
                })
@klings

This comment has been minimized.

Show comment
Hide comment
@klings

klings Mar 25, 2018

Member

Released

Member

klings commented Mar 25, 2018

Released

@klings klings closed this Mar 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment