Commits on Aug 13, 2020

1. Middleware and TagHelpers for CSP support in ASP.NET (#1) …

   Hello .NET community!
   
   This PR adds Content Security Policy support for ASP.NET as middleware. CSP is a popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.
   
   Summary of the changes (Less than 80 chars)
   
   * Allow configuration of whether CSP enabled in reporting or enforcement modes.
   * Allows configuration of a report URI, for violation reports sent by the browser.
   * CSP middleware generates a nonce-based, strict-dynamic policy.
   * Middleware adds thepolicy to HTTP responses according to the configuration.
   * Custom <script> TagHelper to set nonce attribute on script blocks automatically.
   * Provides a default implementation of a CSP violation report collection endpoint.
   * Example app that uses our CSP middleware and corresponding basic unit tests.
   * With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.
   
   Addresses dotnet/aspnetcore#6001
   
   Co-authored with: Aaron Shim - [email protected]

   

   gchatz22 authored Aug 13, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for fd52908
   • Browse repository at this point

   Copy the full SHA

   fd52908 View commit details

   Browse the repository at this point in the history