Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Middleware and TagHelpers for CSP support in ASP.NET (#1) #298

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

salcho
Copy link

@salcho salcho commented Aug 13, 2020

Hello .NET community!

This PR adds Content Security Policy support for ASP.NET as middleware. CSP is a popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.

Summary of the changes (Less than 80 chars)

  • Allow configuration of whether CSP enabled in reporting or enforcement modes.
  • Allows configuration of a report URI, for violation reports sent by the browser.
  • CSP middleware generates a nonce-based, strict-dynamic policy.
  • Middleware adds thepolicy to HTTP responses according to the configuration.
  • Custom <script> TagHelper to set nonce attribute on script blocks automatically.
  • Provides a default implementation of a CSP violation report collection endpoint.
  • Example app that uses our CSP middleware and corresponding basic unit tests.
  • With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.

Addresses dotnet/aspnetcore#6001

Co-authored with: Aaron Shim - https://github.com/aaronshim ([email protected])

Hello .NET community!

This PR adds Content Security Policy support for ASP.NET as middleware. CSP is a popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.

Summary of the changes (Less than 80 chars)

* Allow configuration of whether CSP enabled in reporting or enforcement modes.
* Allows configuration of a report URI, for violation reports sent by the browser.
* CSP middleware generates a nonce-based, strict-dynamic policy.
* Middleware adds thepolicy to HTTP responses according to the configuration.
* Custom <script> TagHelper to set nonce attribute on script blocks automatically.
* Provides a default implementation of a CSP violation report collection endpoint.
* Example app that uses our CSP middleware and corresponding basic unit tests.
* With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.

Addresses dotnet/aspnetcore#6001

Co-authored with: Aaron Shim - [email protected]
@ghost
Copy link

ghost commented Aug 13, 2020

CLA assistant check
All CLA requirements met.

@ctolkien
Copy link

ctolkien commented Aug 13, 2020

@salcho
Copy link
Author

salcho commented Aug 14, 2020

Hi Chad! The most popular way to add CSP to .NET at the moment is the NWebSec project. You can see the discussion on these alternatives at dotnet/aspnetcore#6001 (tl;dr some of these projects haven't been updated in a while and we all agree it would be add more core security features to .NET).

Sorry I didn't make this explicit in the PR description, but if you take a look at the README file inside the CSP folder you'll see references to our discussions with Barry Dorans (barry.dorrans[at]microsoft.com) and a design document that explains the rationale behind this PR. This CSP implementation was intended to be added as the core .NET framework (see dotnet/aspnetcore#24548).

Unfortunately and if I understand correctly, there are some pressing deadlines for the release of .NET 6 and we've been asked by Barry to transfer this PR here so the .NET team can iterate on it later on.

@blowdart
Copy link
Member

Obviously we're aware of the existing community projects, but this work does beyond just the header itself that the linked packages above have with the reporting endpoint to make debugging easier (oh look, your CSP violations in the console when you hit f5), and the nonce attribute generation.

We welcome collaberation with google to drive browser security from the backend and CSP is a great starting point, as it's a well understood feature. There's been discussion of more middlewares for more browser security features, and of course, given that Google tend to drive these things via Chrome experiments, it seems a rather natural fit.

As for why it's in labs, 5 is branched now for RC. No more features can be added, but we don't want to wait until 6 to have this up and running. Labs will allow us to give feedback, watch it iterate, and then ship a package out of band, and take it in band in 6 if needed (and it is sorely needed).

Base automatically changed from master to main March 11, 2021 20:54
@Ponant
Copy link

Ponant commented Jun 28, 2021

What about styles?

@javiercn javiercn closed this Jan 24, 2022
@javiercn javiercn reopened this Jan 24, 2022
@javiercn javiercn removed their assignment Jan 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants