feat: Add CSP configuration to use CSPMiddleware and CSP nonce to script tags in several cshtml script

2024-05-14 11:22:07 +02:00 · 2024-05-14 11:22:07 +02:00 · 87a766a2e8
commit 87a766a2e8
parent 674d753735
8 changed files with 26 additions and 23 deletions
--- a/EnvelopeGenerator.Web/Program.cs
+++ b/EnvelopeGenerator.Web/Program.cs
@ -16,6 +16,7 @@ using EnvelopeGenerator.Web.Models;
 using DigitalData.Core.DTO;
 using System.Text.Encodings.Web;
 using Ganss.Xss;
+using EnvelopeGenerator.Web;

 var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
 logger.Info("Logging initialized!");
@ -183,15 +184,12 @@ try
    }

    app.UseHttpsRedirection();
-    app.UseStaticFiles();

    var csp = config["Content-Security-Policy"];
    if(csp is not null)
-        app.Use(async (context, next) =>
-        {
-            context.Response.Headers.Add("Content-Security-Policy", csp);
-            await next();
-        });
+        app.UseCSPMiddleware(csp);
+
+    app.UseStaticFiles();

    app.UseCookiePolicy();

--- a/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml
@ -1,4 +1,7 @@
@{
+    var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string;
+}
+@{
    ViewData["Title"] = "Dokument geschützt";
    var userLanguage = ViewData["UserLanguage"] as string;
    var languages = ViewData["Languages"] as string[];
@ -50,7 +53,7 @@
    </section>
 </div>
 <footer class="container" id="page-footer">&copy; SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>
-<script>
+<script nonce="@nonce">
    $(document).ready(function () {
        $('.select-flag').select2({
            templateResult: formatResult,
--- a/EnvelopeGenerator.Web/Views/Home/EnvelopeSigned.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/EnvelopeSigned.cshtml
@ -1,7 +1,6 @@
@{
    ViewData["Title"] = "Dokument unterschrieben";
 }
-
 <div class="page container p-5">
    <header class="text-center">
        <div class="icon signed">
@ -12,10 +11,8 @@
        </div>
        <h1>Dokument erfolgreich signiert!</h1>
    </header>
-
    <section class="text-center">
        <p>Sie haben das Dokument signiert. Im Anschluss erhalten Sie eine schriftliche Bestätigung.</p>
    </section>   
 </div>
-
 <footer class="container" id="page-footer">&copy; SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>
--- a/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
@ -1,4 +1,7 @@
-@using DigitalData.Core.DTO;
+@{
+    var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string;
+}
+@using DigitalData.Core.DTO;
@using EnvelopeGenerator.Application.DTOs;
@model EnvelopeReceiverDto;
@{
@ -42,7 +45,7 @@
        </div>
    </div>
 </div>
-<script>
+<script nonce="@nonce">
    const collapseNav = () => {
        document.addEventListener('click', function (event) {
            var navbarToggle = document.getElementById('navbarToggleExternalContent');
@ -66,7 +69,7 @@

    var envelopeKey = ViewData["EnvelopeKey"] as string;

-    <script>
+    <script nonce="@nonce">
        var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
        var byteCharacters = atob(base64String);
        var byteNumbers = new Array(byteCharacters.length);
@ -82,5 +85,4 @@
        })
    </script>
 }
-
 <div id='app' style='background: gray; width: 100vw; height: 100vh; margin: 0 auto;'></div>
--- a/EnvelopeGenerator.Web/Views/Shared/_CookieConsentPartial.cshtml
+++ b/EnvelopeGenerator.Web/Views/Shared/_CookieConsentPartial.cshtml
@ -1,4 +1,7 @@
-@using DigitalData.Core.DTO;
+@{
+    var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string;
+}
+@using DigitalData.Core.DTO;
@using Microsoft.AspNetCore.Http.Features
@using Newtonsoft.Json.Serialization;
@using Newtonsoft.Json;
@ -10,7 +13,7 @@
 }
@if (showBanner)
 {
-    <script>
+<script nonce="@nonce">
@{
    var serializerSettings = new JsonSerializerSettings
    {
@ -18,7 +21,7 @@
    };
    string serializedProps = JsonConvert.SerializeObject(_cookieSettings, serializerSettings);
 }
-        var props = @Html.Raw(serializedProps);
-        var cookieSettings = new BootstrapCookieConsentSettings(props)
-    </script>
+    var props = @Html.Raw(serializedProps);
+    var cookieSettings = new BootstrapCookieConsentSettings(props)
+</script>
 }
--- a/EnvelopeGenerator.Web/Views/Shared/_Layout.cshtml
+++ b/EnvelopeGenerator.Web/Views/Shared/_Layout.cshtml
@ -29,4 +29,4 @@
    </main>
    @Html.AntiForgeryToken()
 </body>
-</html>
+</html>
--- a/EnvelopeGenerator.Web/Views/_ViewImports.cshtml
+++ b/EnvelopeGenerator.Web/Views/_ViewImports.cshtml
@ -5,4 +5,5 @@
@inject IStringLocalizer<Resource> _localizer;
@inject System.Text.Encodings.Web.UrlEncoder _encoder
@inject Ganss.Xss.HtmlSanitizer _sanitizer
+@inject Microsoft.AspNetCore.Http.IHttpContextAccessor _accessor
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
--- a/EnvelopeGenerator.Web/appsettings.json
+++ b/EnvelopeGenerator.Web/appsettings.json
@ -11,9 +11,8 @@
    }
  },
  "PSPDFKitLicenseKey": null,
-  /*  recommended Content-Security-Policy for production:
-      "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self';"  */
-  "Content-Security-Policy": null,
+  /* The first format parameter {0} will be replaced by the nonce value. */
+  "Content-Security-Policy": "default-src 'self'; script-src 'self' 'nonce-{0}'; style-src 'self' 'nonce-{0}'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' wss://localhost:44385 ws://localhost:61446; frame-src 'self'; media-src 'self'; object-src 'self';",
  "AdminPassword": "dd",
  "AllowedOrigins": [ "https://localhost:7202", "https://digitale.unterschrift.wisag.de/" ],
  "NLog": {