.Net Core 'asp-append-version' interfering with CSP nonces in Umbraco 9

Question

I have a very simple TagHelper which will add the current CSP nonce to a specified tag.

This is all working fine until I start using asp-append-version along with it, at which point the browser begins complaining that the script is blocked:

[Report Only] Refused to load the script because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'nonce-7TYX/FgHsrvHOORSEBRB3h0e'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

When I view the page source I can see that my nonce is correctly applied however we end up with two src attributes which doesn't seem right to me:

<script src="/web/scripts/main.js?v=K0HDUmKd22yWAqRgrnhcGk69aHiFH8qUh2kPLDSbV0c" 
        src="/web/scripts/main.js" 
        nonce="GLBtUe54MABq4Ld2Wtznf8P2"></script>

Could this be the issue? I see two attributes, even without the custom tag helper (have also tried unregistering ALL custom tag helpers in the system and I still face this issue).

It won't even work with a static hardcoded nonce (no tag helper at all).

Example script reference:

<script asp-append-version="true" asp-add-nonce="true" src="/web/scripts/main.js"></script>

TagHelper class:

[HtmlTargetElement("script", Attributes = "asp-add-nonce")]
public class NonceTagHelper : TagHelper
{
    private readonly ILogger<NonceTagHelper> logger;
    private readonly ICspNonceBuilder cspNonceBuilder;

    public NonceTagHelper(ILogger<NonceTagHelper> logger, ICspNonceBuilder cspNonceBuilder)
    {
        this.logger = logger;
        this.cspNonceBuilder = cspNonceBuilder;
    }

    [HtmlAttributeName("asp-add-nonce")]
    public bool AddNonce { get; set; }

    public override void Process(TagHelperContext context, TagHelperOutput output)
    {
        if (!this.AddNonce)
        {
            return;
        }

        var nonce = this.cspNonceBuilder.GetRequestNonce();

        output.Attributes.SetAttribute("nonce", nonce);
    }
}

This all starts working fine if I remove asp-append-version - output:

<script nonce="GLBtUe54MABq4Ld2Wtznf8P2" type="module" src="/web/scripts/main.js"></script>

But I'd like to keep using this if possible. What am I missing? I'm not sure its the custom tag helper as the issue is reproduceable without it (hardcoded nonce).

Answer 1

I've found the issue. Umbraco 9 includes a bundling and minification package as standard https://github.com/Shazwazza/Smidge :

@addTagHelper *, Smidge
@inject Smidge.SmidgeHelper SmidgeHelper

Smidge is including some taghelpers which target the src attribute on <script> tags.

Seems like it's duplicating the entire attribute:

https://github.com/Shazwazza/Smidge/blob/master/src/Smidge/TagHelpers/SmidgeScriptTagHelper.cs#L48

// Pass through attribute that is also a well-known HTML attribute.
// this is required to make sure that other tag helpers executing against this element have
// the value copied across
if (Source != null)
{
     output.CopyHtmlAttribute("src", context);
}

Removing this from the solution resolves the issue.

Edit* This has now been patched and will be releasing with version 4.1.0