Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Middleware and TagHelpers for CSP support in ASP.NET #24548

Closed
wants to merge 28 commits into from
Closed

Middleware and TagHelpers for CSP support in ASP.NET #24548

wants to merge 28 commits into from

Conversation

aaronshim
Copy link

Hello ASP.NET Devs!

This PR adds Content Security Policy support for ASP.NET as a middleware. A very popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.

Summary of the changes (Less than 80 chars)

  • Allow configuration of whether CSP enabled in reporting or enforcement modes.
  • Allows configuration of a report URI, for violation reports sent by the browser.
  • CSP middleware generates a nonce-based, strict-dynamic policy.
  • Middleware adds thepolicy to HTTP responses according to the configuration.
  • Custom <script> TagHelper to set nonce attribute on script blocks automatically.
  • Provides a default implementation of a CSP violation report collection endpoint.
  • Example app that uses our CSP middleware and corresponding basic unit tests.

With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.

Addresses #6001 (in this specific format)

Co-authored-by: Santiago Diaz - [email protected]

salcho and others added 28 commits July 13, 2020 16:50
@salcho
Initial CSP Middleware commit
80c137c
@salcho
Add test project. Fix project structure. Tests can be built and run a…
591cb47 
…fter this commit.
@salcho
Revert "Add test project. Fix project structure. Tests can be built a…
a001197 
…nd run after this commit."

This reverts commit 591cb47.
@salcho
Fix project structure without deleting half of .NET Core
cc530ad
@salcho
Add CSP service and first middleware test. Currently failing.
9456e7c
@salcho
First passing end to end test setting static CSP header
3b1e8c1
@salcho
Add policy builder and policy tests
f18d6e3
@salcho
Remove CSP service and policy provider
24f933f
@salcho
Refactor policy builder to make it easier to register a reporting end…
27335ab 
…point and handler
@salcho
Initial implementation of CSP reporting endpoint
5dad8a3
@salcho
Improve marshalling of JSON reports to CspReport object
44de3fd
@aaronshim
Scaffolding for an example project that demonstrates CSP with templat…
a82c187 
…ing.
@salcho
Merge branch 'master' into csp-middleware
05bba2b
@salcho
Update project structure to reflect changes in upstream
c12b767
@aaronshim
Middleware only adds CSP on text/html responses
535088d
@aaronshim
Changing the order of middleware so that pages that use routing still…
5b66692 
… have CSP
@aaronshim
Null check during CSP report logging
52d9e94
@aaronshim
Initial implementation/scaffolding for TagHelpers to auto-nonce scrip…
c585d1f 
…t tags. ASP.NET doesn't seem to allow Optional/Nullable binds, so we will have to call AddNonces on every webapp that uses CSP.
@aaronshim
Attempt at scaffolding an integration test to check that the template…
511f74b 
…s have nonces. Does not build yet because of some root directory configuration in the Startup.
@salcho
Compute CSP up front. Only set up reporting endpoint if report URI is…
a7e4a7a 
… local
@salcho
Refactor CSP logging and add test
2e1f223
@salcho
Add CSP header on all requests
39fff82
@salcho
Code cleanup
38424fa
@salcho
Textualize CSP reports depending on the current log level. Add tests …
4e51fe7 
…for this behaviour
@salcho
Remove debug nonce
22feb96
@salcho
Add documentation
fa5dbfa
@aaronshim
Simplify sample site.
d6eaa92
@aaronshim
Merge remote-tracking branch 'msft/master' into csp-middleware
48a9377
@aaronshim aaronshim requested a review from Tratcher as a code owner August 3, 2020 20:47
@dnfadmin
Copy link

dnfadmin commented Aug 3, 2020

CLA assistant check
Thank you for your submission, we really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

❌ aaronshim sign now
You have signed the CLA already but the status is still pending? Let us recheck it.

@aaronshim aaronshim mentioned this pull request Aug 3, 2020
Open
@aaronshim aaronshim changed the title Csp middleware Middleware and TagHelpers for CSP support in ASP.NET Aug 3, 2020
@salcho salcho mentioned this pull request Aug 14, 2020
Open
@Pilchie Pilchie added the community-contribution Indicates that the PR has been added by a community member label Aug 24, 2020
@Tratcher
Copy link
Member

Should this be closed in favor of aspnet/AspLabs#298?

@Tratcher Tratcher closed this Aug 26, 2020
@amcasey amcasey added the area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlesware label Jun 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tratcher Tratcher Awaiting requested review from Tratcher

Assignees
No one assigned
Labels
area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlesware community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@aaronshim @dnfadmin @Tratcher @Pilchie @amcasey @salcho