feat: Add CSP configuration to use CSPMiddleware and CSP nonce to script tags in several cshtml script
This commit is contained in:
Developer 02
parent
674d753735
commit
87a766a2e8
@ -16,6 +16,7 @@ using EnvelopeGenerator.Web.Models;
|
|||||||
using DigitalData.Core.DTO;
|
using DigitalData.Core.DTO;
|
||||||
using System.Text.Encodings.Web;
|
using System.Text.Encodings.Web;
|
||||||
using Ganss.Xss;
|
using Ganss.Xss;
|
||||||
|
using EnvelopeGenerator.Web;
|
||||||
|
|
||||||
var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
|
var logger = LogManager.Setup().LoadConfigurationFromAppSettings().GetCurrentClassLogger();
|
||||||
logger.Info("Logging initialized!");
|
logger.Info("Logging initialized!");
|
||||||
@ -183,15 +184,12 @@ try
|
|||||||
}
|
}
|
||||||
|
|
||||||
app.UseHttpsRedirection();
|
app.UseHttpsRedirection();
|
||||||
app.UseStaticFiles();
|
|
||||||
|
|
||||||
var csp = config["Content-Security-Policy"];
|
var csp = config["Content-Security-Policy"];
|
||||||
if(csp is not null)
|
if(csp is not null)
|
||||||
app.Use(async (context, next) =>
|
app.UseCSPMiddleware(csp);
|
||||||
{
|
|
||||||
context.Response.Headers.Add("Content-Security-Policy", csp);
|
app.UseStaticFiles();
|
||||||
await next();
|
|
||||||
});
|
|
||||||
|
|
||||||
app.UseCookiePolicy();
|
app.UseCookiePolicy();
|
||||||
|
|
||||||
|
|||||||
@ -1,4 +1,7 @@
|
|||||||
@{
|
@{
|
||||||
|
var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string;
|
||||||
|
}
|
||||||
|
@{
|
||||||
ViewData["Title"] = "Dokument geschützt";
|
ViewData["Title"] = "Dokument geschützt";
|
||||||
var userLanguage = ViewData["UserLanguage"] as string;
|
var userLanguage = ViewData["UserLanguage"] as string;
|
||||||
var languages = ViewData["Languages"] as string[];
|
var languages = ViewData["Languages"] as string[];
|
||||||
@ -50,7 +53,7 @@
|
|||||||
</section>
|
</section>
|
||||||
</div>
|
</div>
|
||||||
<footer class="container" id="page-footer">© SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>
|
<footer class="container" id="page-footer">© SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>
|
||||||
<script>
|
<script nonce="@nonce">
|
||||||
$(document).ready(function () {
|
$(document).ready(function () {
|
||||||
$('.select-flag').select2({
|
$('.select-flag').select2({
|
||||||
templateResult: formatResult,
|
templateResult: formatResult,
|
||||||
|
|||||||
@ -1,7 +1,6 @@
|
|||||||
@{
|
@{
|
||||||
ViewData["Title"] = "Dokument unterschrieben";
|
ViewData["Title"] = "Dokument unterschrieben";
|
||||||
}
|
}
|
||||||
|
|
||||||
<div class="page container p-5">
|
<div class="page container p-5">
|
||||||
<header class="text-center">
|
<header class="text-center">
|
||||||
<div class="icon signed">
|
<div class="icon signed">
|
||||||
@ -12,10 +11,8 @@
|
|||||||
</div>
|
</div>
|
||||||
<h1>Dokument erfolgreich signiert!</h1>
|
<h1>Dokument erfolgreich signiert!</h1>
|
||||||
</header>
|
</header>
|
||||||
|
|
||||||
<section class="text-center">
|
<section class="text-center">
|
||||||
<p>Sie haben das Dokument signiert. Im Anschluss erhalten Sie eine schriftliche Bestätigung.</p>
|
<p>Sie haben das Dokument signiert. Im Anschluss erhalten Sie eine schriftliche Bestätigung.</p>
|
||||||
</section>
|
</section>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<footer class="container" id="page-footer">© SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>
|
<footer class="container" id="page-footer">© SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>
|
||||||
@ -1,4 +1,7 @@
|
|||||||
@using DigitalData.Core.DTO;
|
@{
|
||||||
|
var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string;
|
||||||
|
}
|
||||||
|
@using DigitalData.Core.DTO;
|
||||||
@using EnvelopeGenerator.Application.DTOs;
|
@using EnvelopeGenerator.Application.DTOs;
|
||||||
@model EnvelopeReceiverDto;
|
@model EnvelopeReceiverDto;
|
||||||
@{
|
@{
|
||||||
@ -42,7 +45,7 @@
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<script>
|
<script nonce="@nonce">
|
||||||
const collapseNav = () => {
|
const collapseNav = () => {
|
||||||
document.addEventListener('click', function (event) {
|
document.addEventListener('click', function (event) {
|
||||||
var navbarToggle = document.getElementById('navbarToggleExternalContent');
|
var navbarToggle = document.getElementById('navbarToggleExternalContent');
|
||||||
@ -66,7 +69,7 @@
|
|||||||
|
|
||||||
var envelopeKey = ViewData["EnvelopeKey"] as string;
|
var envelopeKey = ViewData["EnvelopeKey"] as string;
|
||||||
|
|
||||||
<script>
|
<script nonce="@nonce">
|
||||||
var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
|
var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
|
||||||
var byteCharacters = atob(base64String);
|
var byteCharacters = atob(base64String);
|
||||||
var byteNumbers = new Array(byteCharacters.length);
|
var byteNumbers = new Array(byteCharacters.length);
|
||||||
@ -82,5 +85,4 @@
|
|||||||
})
|
})
|
||||||
</script>
|
</script>
|
||||||
}
|
}
|
||||||
|
|
||||||
<div id='app' style='background: gray; width: 100vw; height: 100vh; margin: 0 auto;'></div>
|
<div id='app' style='background: gray; width: 100vw; height: 100vh; margin: 0 auto;'></div>
|
||||||
@ -1,4 +1,7 @@
|
|||||||
@using DigitalData.Core.DTO;
|
@{
|
||||||
|
var nonce = _accessor.HttpContext?.Items["csp-nonce"] as string;
|
||||||
|
}
|
||||||
|
@using DigitalData.Core.DTO;
|
||||||
@using Microsoft.AspNetCore.Http.Features
|
@using Microsoft.AspNetCore.Http.Features
|
||||||
@using Newtonsoft.Json.Serialization;
|
@using Newtonsoft.Json.Serialization;
|
||||||
@using Newtonsoft.Json;
|
@using Newtonsoft.Json;
|
||||||
@ -10,7 +13,7 @@
|
|||||||
}
|
}
|
||||||
@if (showBanner)
|
@if (showBanner)
|
||||||
{
|
{
|
||||||
<script>
|
<script nonce="@nonce">
|
||||||
@{
|
@{
|
||||||
var serializerSettings = new JsonSerializerSettings
|
var serializerSettings = new JsonSerializerSettings
|
||||||
{
|
{
|
||||||
|
|||||||
@ -5,4 +5,5 @@
|
|||||||
@inject IStringLocalizer<Resource> _localizer;
|
@inject IStringLocalizer<Resource> _localizer;
|
||||||
@inject System.Text.Encodings.Web.UrlEncoder _encoder
|
@inject System.Text.Encodings.Web.UrlEncoder _encoder
|
||||||
@inject Ganss.Xss.HtmlSanitizer _sanitizer
|
@inject Ganss.Xss.HtmlSanitizer _sanitizer
|
||||||
|
@inject Microsoft.AspNetCore.Http.IHttpContextAccessor _accessor
|
||||||
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
|
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
|
||||||
@ -11,9 +11,8 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"PSPDFKitLicenseKey": null,
|
"PSPDFKitLicenseKey": null,
|
||||||
/* recommended Content-Security-Policy for production:
|
/* The first format parameter {0} will be replaced by the nonce value. */
|
||||||
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self';" */
|
"Content-Security-Policy": "default-src 'self'; script-src 'self' 'nonce-{0}'; style-src 'self' 'nonce-{0}'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' wss://localhost:44385 ws://localhost:61446; frame-src 'self'; media-src 'self'; object-src 'self';",
|
||||||
"Content-Security-Policy": null,
|
|
||||||
"AdminPassword": "dd",
|
"AdminPassword": "dd",
|
||||||
"AllowedOrigins": [ "https://localhost:7202", "https://digitale.unterschrift.wisag.de/" ],
|
"AllowedOrigins": [ "https://localhost:7202", "https://digitale.unterschrift.wisag.de/" ],
|
||||||
"NLog": {
|
"NLog": {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user