CSP Manager
# socials
Søren Mastrup
04/05/2024, 8:15 AMThe configuration in the backoffice is very nice!
But I can't get the tag helper to work
m
Matt Wise
04/05/2024, 8:19 AMYep! Its not released yet 😄
Matt Wise
04/05/2024, 8:20 AMthat the more coming soon, I just need to do some more testing but wanted to get Aarons PR from October out.
If you need it I can release it as a pre-release though
s
Søren Mastrup
04/05/2024, 8:20 AMThat is why! 😅
I was looking in the repo and compared what I had configured - Didn't think of checking the package version
Søren Mastrup
04/05/2024, 8:21 AMHow would I add the nonce without the tag helper?
Søren Mastrup
04/05/2024, 8:21 AMOr... Couldn't I just copy your tag helper into my project?
I guess the CSP service would be available?
m
Matt Wise
04/05/2024, 8:22 AMSo if you had a way of generating a random nonce value there is events you can hook into to alter the CSP
Matt Wise
04/05/2024, 8:22 AMWhich I really need to document 😄
Matt Wise
04/05/2024, 8:22 AMhttps://github.com/Matthew-Wise/Umbraco-CSP-manager/tree/1.2.1/src latest released source is this
Matt Wise
04/05/2024, 8:24 AMCspWritingNotification lets you alter the header before it goes "out"
the challenge with nonce is it should be unquie per request.
I have tested the nonce stuff manually but want some automatation which is why its not out yet
Matt Wise
04/05/2024, 8:24 AMTo save you the pain of adding nonce without Ill tag up a beta release now 🙂 (its all automated ;))
Matt Wise
04/05/2024, 8:28 AMShould appear on NuGet shortly 🙂 (first time I have ever got the release pipeline first time 😄 )
Matt Wise
04/05/2024, 8:29 AMs
Søren Mastrup
04/05/2024, 8:35 AMI see it! 😄
Will try it out
Søren Mastrup
04/05/2024, 8:40 AMThe tag helper getting registered, but it only add an empty nonce
m
Matt Wise
04/05/2024, 8:47 AMthats Chome been "helpful"
Matt Wise
04/05/2024, 8:48 AMif you view page source it will be there
Matt Wise
04/05/2024, 8:49 AM'strict-dynamic' as a script source is super powerful btw - https://content-security-policy.com/strict-dynamic/
It pretty much solves GTM 😉
s
Søren Mastrup
04/05/2024, 8:55 AMAaah okay 😄
Still getting an error though
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem localhost". Either the 'unsafe-inline' keyword, a hash ('sha256-Esn7Zb7FBRDn3I4afnisr4bjWWPnNHfSUd7R1Tuxh5E='), or a nonce ('nonce-...') is required to enable inline execution.Matt Wise
04/05/2024, 9:16 AMSo that error all depends on the script 🙂
Matt Wise
04/05/2024, 9:18 AMif its something generated from GTM you probably need to update the GTM include script to support nonce, which they do provide 🙂
s
Søren Mastrup
04/05/2024, 9:32 AMIt was just me testing some inline stuff in a script tag
Søren Mastrup
04/05/2024, 9:32 AMBut thanks for clarifying!
Søren Mastrup
04/05/2024, 9:46 AMIf i understand in correctly, I would need the hash added to the CSP header.
I am not really sure how I would do that when using CSP Manager
m
Matt Wise
04/05/2024, 9:51 AMIts the same as a url
Matt Wise
04/05/2024, 9:52 AMsame way 'unsafe-inline' so hash and check script-src
Matt Wise
04/05/2024, 9:52 AMAs a hash shouldnt change same as a url
s
Søren Mastrup
04/05/2024, 10:14 AMAh! Got it now!
Søren Mastrup
04/05/2024, 10:14 AMThanks