Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Middleware and TagHelpers for CSP support in ASP.NET #1

Merged
merged 5 commits into from
Aug 13, 2020
Merged

Middleware and TagHelpers for CSP support in ASP.NET #1

merged 5 commits into from
Aug 13, 2020

Conversation

gchatz22
Copy link

@gchatz22 gchatz22 commented Aug 12, 2020
edited
Loading

Hello ASP.NET Devs!

This PR adds Content Security Policy support for ASP.NET as a middleware. A very popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.

Summary of the changes (Less than 80 chars)

  • Allow configuration of whether CSP enabled in reporting or enforcement modes.
  • Allows configuration of a report URI, for violation reports sent by the browser.
  • CSP middleware generates a nonce-based, strict-dynamic policy.
  • Middleware adds thepolicy to HTTP responses according to the configuration.
  • Custom <script> TagHelper to set nonce attribute on script blocks automatically.
  • Provides a default implementation of a CSP violation report collection endpoint.
  • Example app that uses our CSP middleware and corresponding basic unit tests.

With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.

Addresses #6001 (in this specific format)

Co-authored-by: Aaron Shim - aaronshim@google.com
Co-authored-by: Santiago Diaz - salchoman@gmail.comAllows configuration of a report URI, for violation reports sent by the browser.

salcho
salcho requested changes Aug 12, 2020
View reviewed changes
Copy link
Owner

@salcho salcho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

src/Middleware/CSP/README.md Outdated Show resolved Hide resolved
src/Middleware/CSP/README.md Outdated Show resolved Hide resolved
src/Middleware/CSP/README.md Outdated Show resolved Hide resolved
src/Middleware/CSP/README.md Outdated Show resolved Hide resolved
@gchatz22 gchatz22 requested a review from salcho August 12, 2020 12:56
salcho
salcho approved these changes Aug 13, 2020
View reviewed changes
Copy link
Owner

@salcho salcho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@salcho salcho merged commit fd52908 into csp-post Aug 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@salcho salcho salcho approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gchatz22 @salcho