内容安全政策

Question

I am currently implementing CSP(Content Security Policy) for my project and i have chosen to implement nonce for all the inline scripts that cannot be moved away from the web page. While trying to implement nonce for classic aspx pages, there are few places where the script manager is being included to use the ajaxcontrol toolkit and they are generating a tag in the html.

Since i have nonce implementation i need to add the nonce attribute to the script tag in order to prevent the from getting blocked by the CSP. I have been looking into this for 2 days and i don't find any suggestion/solution for this.

EDIT:

I am generating the nonce using OWIN middleware. The meta tag is being generated dynamically and appended to the meta tag during the master page load.

Any help would be appreciated.

Thanks

Answer 1

On IIS 7 and above, you can leverage the URL Rewrite Module to define outbound rules which allow you to modify the markup on the fly:

https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-outbound-rules-to-add-web-analytics-tracking-code

Here is an example of rewriting image tags:

http://marisks.net/2017/05/14/changing-static-resource-urls-to-cdn-urls-with-url-rewrite/

Answer 2

After a discussion with the microsoft community it has been identified that there is no way to interpret the script tag generated dynamically. So as of now this is kind of not possible. will keep you guys updated if i find any solution or if you guys have a suggestion or workaround then feel free to post it here. Thanks for all your help