Middleware and TagHelpers for CSP support in ASP.NET (#1) #298
Conversation
Hello .NET community! This PR adds Content Security Policy support for ASP.NET as middleware. CSP is a popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP. Summary of the changes (Less than 80 chars) * Allow configuration of whether CSP enabled in reporting or enforcement modes. * Allows configuration of a report URI, for violation reports sent by the browser. * CSP middleware generates a nonce-based, strict-dynamic policy. * Middleware adds thepolicy to HTTP responses according to the configuration. * Custom <script> TagHelper to set nonce attribute on script blocks automatically. * Provides a default implementation of a CSP violation report collection endpoint. * Example app that uses our CSP middleware and corresponding basic unit tests. * With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS. Addresses dotnet/aspnetcore#6001 Co-authored with: Aaron Shim - aaronshim@google.com
|
|
|
Note that there is already an existing project: https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders And this one: |
|
Hi Chad! The most popular way to add CSP to .NET at the moment is the NWebSec project. You can see the discussion on these alternatives at dotnet/aspnetcore#6001 (tl;dr some of these projects haven't been updated in a while and we all agree it would be add more core security features to .NET). Sorry I didn't make this explicit in the PR description, but if you take a look at the README file inside the CSP folder you'll see references to our discussions with Barry Dorans (barry.dorrans[at]microsoft.com) and a design document that explains the rationale behind this PR. This CSP implementation was intended to be added as the core .NET framework (see dotnet/aspnetcore#24548). Unfortunately and if I understand correctly, there are some pressing deadlines for the release of .NET 6 and we've been asked by Barry to transfer this PR here so the .NET team can iterate on it later on. |
|
Obviously we're aware of the existing community projects, but this work does beyond just the header itself that the linked packages above have with the reporting endpoint to make debugging easier (oh look, your CSP violations in the console when you hit f5), and the nonce attribute generation. We welcome collaberation with google to drive browser security from the backend and CSP is a great starting point, as it's a well understood feature. There's been discussion of more middlewares for more browser security features, and of course, given that Google tend to drive these things via Chrome experiments, it seems a rather natural fit. As for why it's in labs, 5 is branched now for RC. No more features can be added, but we don't want to wait until 6 to have this up and running. Labs will allow us to give feedback, watch it iterate, and then ship a package out of band, and take it in band in 6 if needed (and it is sorely needed). |
|
What about styles? |
Hello .NET community!
This PR adds Content Security Policy support for ASP.NET as middleware. CSP is a popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.
Summary of the changes (Less than 80 chars)
Addresses dotnet/aspnetcore#6001
Co-authored with: Aaron Shim - https://github.com/aaronshim (aaronshim@google.com)