3

Is NONCE supported in Asp.Net when implementing the Content-Security-Policy header to protect from XSS ??

I read that NONCE was not supported in Asp.Net, however, I read another simple article, that shows how it is done? Does anyone use nonce for CSP headers, I was able to make my implementation work without it by using unsafe-inline tags for the inline java-script that is in my enterprise web app, it is not feasible to move the inline JS to external files, so the unsafe-inline src was rec. by the client.

I am wondering how many people actually use nonce, or hash when implementing CSP. Also, any general best practices on CSP would be appreciated.

Improve this question
3
  • asp.net already has built-in anti-forgery tokens... is that not enough?
    – browsermator
    Commented Feb 7, 2020 at 18:19
  • what do you mean by not supported? it's just a random value that you repeat in certain places. asp.net is more than able to both generate and embed such a value.
    – dandavis
    Commented Feb 7, 2020 at 20:05
  • Are you using something specific for CSP (ex: NWebSec) Did you manage to find any implementation on generating nonce for each script tag in your application
    – Rajesh
    Commented May 19, 2020 at 16:45

2 Answers 2

Reset to default
1

CSP is client-side behavior, not server-side; it doesn't make sense to talk about it as something a server-side technology like ASP.NET "does" or "does not" support. At the end of the day, all you're doing is adding some text to your HTTP response headers and HTML bodies. ASP.NET can absolutely do that.

The complication occurs if ASP.NET adds scripts (or other CSP-restricted content) automatically. In that case, if you require nonces on all such content, you'd need to ensure the server adds them to its auto-generated content too. If it doesn't support doing so automatically, you'll need to modify its behavior to do so "manually". There are a few ways and places you might do this, although I can't think of a really obvious one (but then, I haven't done any serious ASP.NET development in the last decade).

If you've got a site that explains how to make ASP.NET handle CSP nonces correctly, why didn't you just try it to see if it works? If it doesn't, you could ask why, and what to do about it... but that's more of a StackOverflow question than a Security.SE question. How to use CSP in the abstract is a security question. How to make it work in a particular way on a particular web server is a programming question.

Improve this answer
0

Microsoft's ASP.NET MVC web stack uses its own implementation of the Synchronizer Token Pattern using the HtmlHelper.AntiForgeryToken method and ValidateAntiForgeryToken attribute class.

When Synchronizer Token Pattern is used, it is usually based on the two tokens which are submitted to the server with each HTTP POST request (in addition to the authentication token): one token - in a cookie and the other - with the form value.

Token values generated by the ASP.NET runtime are not deterministic or predictable by an attacker. They look like the following: < input name="__RequestVerificationToken" type="hidden" value="i411mJIr0mZKrk17g4Hf-0_G6aXOJLkzzGfd5yn2mVsTqj-35j_n0YUUCzFRXoFet3BXUVpBicpL3p-AqPPA3XEXEtykt4X-_MbRIxLQH6M1" />

//////// VIEW ////////
<% using(Html.Form("Ideas", "Delete_All")) { %>
    <%= Html.AntiForgeryToken() %>
    <!-- rest of form goes here -->
<% } %>
​
//////// CONTROLLER ////////
​
[ValidateAntiForgeryToken]
public ActionResult Delete_All()
{
    // Delete all trade ideas ...
}
Improve this answer
1
  • 1
    Anti-Forgery tokens are to prevent CSRF...They don't protect against XSS like CSP does, so this doesn't answer the question. In fact, the anti-forgery token to protect against CSRF can be defeated if there is an XSS vulnerability present, so these two protections should be used together, not one or the other.
    – Xander
    Commented Feb 26, 2021 at 14:40

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .