diff --git a/EnvelopeGenerator.Web/Program.cs b/EnvelopeGenerator.Web/Program.cs index 0bce58cc..43450505 100644 --- a/EnvelopeGenerator.Web/Program.cs +++ b/EnvelopeGenerator.Web/Program.cs @@ -16,6 +16,7 @@ using EnvelopeGenerator.Web.Models; using DigitalData.Core.DTO; using System.Text.Encodings.Web; using Ganss.Xss; +using EnvelopeGenerator.Web; var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger(); logger.Info("Logging initialized!"); @@ -183,15 +184,12 @@ try } app.UseHttpsRedirection(); - app.UseStaticFiles(); var csp = config["Content-Security-Policy"]; if(csp is not null) - app.Use(async (context, next) => - { - context.Response.Headers.Add("Content-Security-Policy", csp); - await next(); - }); + app.UseCSPMiddleware(csp); + + app.UseStaticFiles(); app.UseCookiePolicy(); diff --git a/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml b/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml index c2fc03e7..001141d1 100644 --- a/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml +++ b/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml @@ -1,4 +1,7 @@ @{ + var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string; +} +@{ ViewData["Title"] = "Dokument geschützt"; var userLanguage = ViewData["UserLanguage"] as string; var languages = ViewData["Languages"] as string[]; @@ -50,7 +53,7 @@ - } -
\ No newline at end of file diff --git a/EnvelopeGenerator.Web/Views/Shared/_CookieConsentPartial.cshtml b/EnvelopeGenerator.Web/Views/Shared/_CookieConsentPartial.cshtml index 96c526f5..6dfed5cf 100644 --- a/EnvelopeGenerator.Web/Views/Shared/_CookieConsentPartial.cshtml +++ b/EnvelopeGenerator.Web/Views/Shared/_CookieConsentPartial.cshtml @@ -1,4 +1,7 @@ -@using DigitalData.Core.DTO; +@{ + var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string; +} +@using DigitalData.Core.DTO; @using Microsoft.AspNetCore.Http.Features @using Newtonsoft.Json.Serialization; @using Newtonsoft.Json; @@ -10,7 +13,7 @@ } @if (showBanner) { - + var props = @Html.Raw(serializedProps); + var cookieSettings = new BootstrapCookieConsentSettings(props) + } \ No newline at end of file diff --git a/EnvelopeGenerator.Web/Views/Shared/_Layout.cshtml b/EnvelopeGenerator.Web/Views/Shared/_Layout.cshtml index a0e917a0..40a6853f 100644 --- a/EnvelopeGenerator.Web/Views/Shared/_Layout.cshtml +++ b/EnvelopeGenerator.Web/Views/Shared/_Layout.cshtml @@ -29,4 +29,4 @@ @Html.AntiForgeryToken() - + \ No newline at end of file diff --git a/EnvelopeGenerator.Web/Views/_ViewImports.cshtml b/EnvelopeGenerator.Web/Views/_ViewImports.cshtml index 131d7f99..a7b4fc62 100644 --- a/EnvelopeGenerator.Web/Views/_ViewImports.cshtml +++ b/EnvelopeGenerator.Web/Views/_ViewImports.cshtml @@ -5,4 +5,5 @@ @inject IStringLocalizer _localizer; @inject System.Text.Encodings.Web.UrlEncoder _encoder @inject Ganss.Xss.HtmlSanitizer _sanitizer +@inject Microsoft.AspNetCore.Http.IHttpContextAccessor _accessor @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers \ No newline at end of file diff --git a/EnvelopeGenerator.Web/appsettings.json b/EnvelopeGenerator.Web/appsettings.json index 82f633d8..c173a676 100644 --- a/EnvelopeGenerator.Web/appsettings.json +++ b/EnvelopeGenerator.Web/appsettings.json @@ -11,9 +11,8 @@ } }, "PSPDFKitLicenseKey": null, - /* recommended Content-Security-Policy for production: - "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self';" */ - "Content-Security-Policy": null, + /* The first format parameter {0} will be replaced by the nonce value. */ + "Content-Security-Policy": "default-src 'self'; script-src 'self' 'nonce-{0}'; style-src 'self' 'nonce-{0}'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' wss://localhost:44385 ws://localhost:61446; frame-src 'self'; media-src 'self'; object-src 'self';", "AdminPassword": "dd", "AllowedOrigins": [ "https://localhost:7202", "https://digitale.unterschrift.wisag.de/" ], "NLog": {