Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nevena Nikolic 5 posts 25 karma points
    Sep 29, 2017 @ 09:02
    Nevena Nikolic
    0

    Hello everyone,

    we are trying to implement security headers on our website and one of them is Content-Security-Policy. I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.

    Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.

    Is there any easy workaround for this issue that we are facing?

    Kind Regards

  • Sebastiaan Janssen 5052 posts 15505 karma points MVP admin hq
    Sep 30, 2017 @ 10:06
    Sebastiaan Janssen
    4

    I wrote about this in depth here: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/

    Basically you need to ignore umbraco paths like so:

     <location path="umbraco">
      <system.webServer>
       <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
       <httpProtocol>
        <customHeaders>
         <remove name="X-Frame-Options" />
         <add name="X-Frame-Options" value="SAMEORIGIN" />
         <remove name="Content-Security-Policy" />
         <add name="Content-Security-Policy" value="default-src 'self' www.gravatar.com player.vimeo.com *.vimeocdn.com packages.umbraco.org our.umbraco.org;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: www.gravatar.com umbraco.tv;font-src 'self';" />
        </customHeaders>
       </httpProtocol> 
      </system.webServer>
     </location>
    
  • Gary 80 posts 377 karma points
    Oct 28, 2019 @ 14:24
    Gary
    0

    Hi Sebastiaan,

    Do you have an updated link? It seems that the link now goes to default Umbraco installation screen.

    Thank you :)

    Kind Regards,

    Gary

  • Nevena Nikolic 5 posts 25 karma points
    Oct 03, 2017 @ 13:05
    Nevena Nikolic
    0

    Hi Sebastiaan,

    this worked thank you a lot!

  • Jonathon Cove 6 posts 27 karma points
    1 day ago
    Jonathon Cove
    0

    If anyone finds this (like I did) and wants to add nonce in the Content-Security-Header to Umbraco v8, it can be done with a mixture of Umbraco UserComposers, OWIN, and HTML Helpers:

    public class NonceComposer : IUserComposer
    {
        public void Compose(Composition composition)
        {
            UmbracoDefaultOwinStartup.MiddlewareConfigured += UmbracoDefaultOwinStartup_MiddlewareConfigured;
        }
        private void UmbracoDefaultOwinStartup_MiddlewareConfigured(object sender, OwinMiddlewareConfiguredEventArgs e)
        {
            SetupNonce(e.AppBuilder);
        }
    
        private void SetupNonce(IAppBuilder app)
        {
    
            app.Use((context, next) =>
            {
                var rng = new RNGCryptoServiceProvider();
                var nonceBytes = new byte[32];
                rng.GetBytes(nonceBytes);
                var nonce = Convert.ToBase64String(nonceBytes);
                context.Set("ScriptNonce", nonce);
    
                //annoyingly, we can't get the current headers here
                string policy = string.Format(
                    " default-src 'self' 'nonce-{0}' *.gstatic.com *.googleapis.com *.openstreetmap.org *.cloudflare.com *.googletagmanager.com *.google-analytics.com;" +
                    " script-src 'self' 'nonce-{0}' *.googletagmanager.com *.google-analytics.com;" +
                    " style-src 'self' 'nonce-{0}' *.gstatic.com *.googleapis.com *.openstreetmap.org *.cloudflare.com *.googletagmanager.com *.google-analytics.com"
                , nonce);
    
                context.Response.Headers.Set("Content-Security-Policy", policy);
                return next();
            });
    
        }
    }
    

    Html Helper

    public static class NonceHelper
    {
        public static IHtmlString GetTheNonce(this HtmlHelper helper)
        {
            var owinContext = helper.ViewContext.HttpContext.GetOwinContext();
            return MvcHtmlString.Create(owinContext.Get<string>("ScriptNonce"));
        }
    }
    

    You can then use it in .cshtml files like this:

    <script nonce="@Html.GetTheNonce()">
    

    (As long as you add a using statement at the top of the .cshtml file for whichever namespace the NonceHelper sits in)

    You should also remove any settings of the Content-Security-Header in the .config files. It's technically possible to combine them, but I couldn't get it to work properly.

Please Sign in or register to post replies

Write your reply to:

Draft