locked
Content Security Policy - Adding nonces to plain ASP.NET WebForms RRS feed

  • Question

  • User-1802931265 posted

    A security audit has said that we need to implement CSP script nonces to improve security..    

    I've recently upgraded an old website from asp.net 2.0 to 4.5 and will be upgrading to 4.8 once I get an update to a specific library that works with it.

    Looking through the forums, I see lots of posts talking about the antiXSS library, but it says it's end-of-life since framework 4.0. (https://archive.codeplex.com/?p=wpl)

    At the moment, the CSP is set (badly) to    <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval';" />

    I know how to generate a nonce, but don't know how or where to add it to the CSP ?  

    Thursday, May 21, 2020 4:32 PM

All replies

  • User-719153870 posted

    Hi Adrian_Parker,

    Adrian_Parker

    I know how to generate a nonce, but don't know how or where to add it to the CSP ?  

    Not sure if the requirement was understood correctly, maybe you can refer to CSP: script-src:

    Use nonce-<base64-value>, "A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy."

    You can find an example for how to use nonce value in CSP:

    <add name="Content-Security-Policy" value="default-src 'self'; script-src 'nonce-2726c7f26c'" />

    and below script will be allowed:

    <script nonce="2726c7f26c">
      var inline = 1;
    </script>

    Best Regard,

    Yang Shen

    Friday, May 22, 2020 5:03 AM
  • User-1802931265 posted

    Hi Yang Shen,

    What I mean is that I don't know the following..

    1. Where should the nonce be generated and stored
    2. How do I add the nonce to the CSP (that is in the web.config)
    3. How do I add the nonce to the script / style tags

    Any help would be much appreciated.

    Regards

    Adrian Parker

    Friday, May 22, 2020 8:07 AM
  • User-1802931265 posted

    Is there no way to do this ?

    Monday, June 1, 2020 9:14 AM
  • User409696431 posted

    The subject is much more complicated than you may think.  First of all, from https://content-security-policy.com/nonce/ , "A nonce is a randomly generated token that should be used only one time.", so hard coding it anywhere is not going to meet the requirements.

    Further, the example given is:

    "Example Nonce Usage

    Using a nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP script-src directive:

    script-src 'nonce-r@nd0m';
    

    NOTE: We are using the phrase: r@nd0m to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request."

    Given the requirement for a random token generator for each request, nonce seems to be anything but a simple implementation.  If you need to allow inline scripts, perhaps you should use the hash implementation rather than the nonce implementation, since the hash would be calculated once.

    From https://content-security-policy.com/hash/ 

    "CSP Hash Example

    Using a hash is one way to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP with JavaScript:

    Suppose we have the following script on our page:

    <script>doSomething();</script>
    

    If you compute the SHA-256 hash of our entire JavaScript code block, in our case it is just: doSomething(); you will get the value:

    RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=

    Finally we can add the hash to our script-src directive to allow it to execute via our Content-Security-Policy header:

    script-src 'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';

    What CSP hash algorithms are supported?

    The CSP Level 2 specification allows sha256, sha384, and sha512

    How do you generate the hash?

    The easiest way to generate it is to just open the developer tools console and it will output what the expected hash of your script was in the console error message.

    You can also use tools such as openssl to generate it, whitespace is not ignored."

    Monday, June 1, 2020 5:49 PM
  • User-1802931265 posted

    The subject is much more complicated than you may think.  First of all, from https://content-security-policy.com/nonce/ , "A nonce is a randomly generated token that should be used only one time.", so hard coding it anywhere is not going to meet the requirements.

    Further, the example given is:

    "Example Nonce Usage

    Using a nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP script-src directive:

    script-src 'nonce-r@nd0m';
    

    NOTE: We are using the phrase: r@nd0m to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request."

    Given the requirement for a random token generator for each request, nonce seems to be anything but a simple implementation.  If you need to allow inline scripts, perhaps you should use the hash implementation rather than the nonce implementation, since the hash would be calculated once.

    From https://content-security-policy.com/hash/ 

    "CSP Hash Example

    Using a hash is one way to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP with JavaScript:

    Suppose we have the following script on our page:

    <script>doSomething();</script>
    

    If you compute the SHA-256 hash of our entire JavaScript code block, in our case it is just: doSomething(); you will get the value:

    RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=

    Finally we can add the hash to our script-src directive to allow it to execute via our Content-Security-Policy header:

    script-src 'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';

    What CSP hash algorithms are supported?

    The CSP Level 2 specification allows sha256, sha384, and sha512

    How do you generate the hash?

    The easiest way to generate it is to just open the developer tools console and it will output what the expected hash of your script was in the console error message.

    You can also use tools such as openssl to generate it, whitespace is not ignored."

    Thanks for replying, but you've not answered any of the questions I've asked.

    Which event in global.asax should the nonce be generated..  

    Can the CSP in web.config be overridden to add the generated nonce value, or does the CSP have to be generated in the code directly and thus make it non-configurable.  And if so how is the CSP added in code?

    Am I correct in assuming that the script tags can just have the nonce added via <%= nonce-session-variable %>

    Hopefully this makes my question clearer.

    Regards

    Adrian 

    Monday, June 1, 2020 10:17 PM
  • User409696431 posted

    I've answered that you shouldn't use nonce.

    "Can the CSP in web.config be overridden to add the generated nonce value"

    Certainly not!  That would overwrite the web.config on every page request, and it would recompile the entire site due to the web.config change.

    Use hash instead.  Nonce is simply the wrong choice for a web forms site.

    Monday, June 1, 2020 11:19 PM