DOTNET-116 add nonce attribute (#128)

danatcofo · Todd Lair · web-flow · commit 8fe47254cbaa · 2022-05-25T14:11:57.000-05:00
string CSP rules require a nonce attribute on inline script tags like this.

Co-authored-by: Todd Lair &lt;todd.lair@visionmedia.com&gt;
diff --git a/Src/StackifyLib/Web/RealUserMonitoring.cs b/Src/StackifyLib/Web/RealUserMonitoring.cs
@@ -1,6 +1,5 @@
-﻿using System;
-using System.Collections.Generic;
-using System.Text;
+using System;
+using System.Security.Cryptography;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using StackifyLib.Utils;
@@ -9,6 +8,8 @@ namespace StackifyLib.Web
 {
     public static class RealUserMonitoring
     {
+        private static readonly RandomNumberGenerator Rng = new RNGCryptoServiceProvider();
+
         public static string GetHeaderScript()
         {
             var rumScriptUrl = Config.RumScriptUrl;
@@ -51,8 +52,13 @@ public static string GetHeaderScript()
                 settings["Trans"] = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(reportingUrl));
             }
 
-            return string.Format(@"<script type=""text/javascript"">(window.StackifySettings || (window.StackifySettings = {0}))</script><script src=""{1}"" data-key=""{2}"" async></script>",
-                settings.ToString(Formatting.None), rumScriptUrl, rumKey);
+            // generate nonce for strict CSP rules
+            var nonceBytes = new byte[20];
+            Rng.GetNonZeroBytes(nonceBytes);
+            var nonce = Convert.ToBase64String(nonceBytes);
+
+            return string.Format("<script type=\"text/javascript\" nonce=\"{3}\">(window.StackifySettings || (window.StackifySettings = {0}))</script><script src=\"{1}\" data-key=\"{2}\" async></script>",
+                settings.ToString(Formatting.None), rumScriptUrl, rumKey, nonce);
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`		`-using System;`
`2`		`-using System.Collections.Generic;`
`3`		`-using System.Text;`
	`1`	`+using System;`
	`2`	`+using System.Security.Cryptography;`
`4`	`3`	`using Newtonsoft.Json;`
`5`	`4`	`using Newtonsoft.Json.Linq;`
`6`	`5`	`using StackifyLib.Utils;`
`@@ -9,6 +8,8 @@ namespace StackifyLib.Web`
`9`	`8`	`{`
`10`	`9`	`public static class RealUserMonitoring`
`11`	`10`	`{`
	`11`	`+ private static readonly RandomNumberGenerator Rng = new RNGCryptoServiceProvider();`
	`12`	`+`
`12`	`13`	`public static string GetHeaderScript()`
`13`	`14`	`{`
`14`	`15`	`var rumScriptUrl = Config.RumScriptUrl;`
`@@ -51,8 +52,13 @@ public static string GetHeaderScript()`
`51`	`52`	`settings["Trans"] = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(reportingUrl));`
`52`	`53`	`}`
`53`	`54`
`54`		`- return string.Format(@"<script type=""text/javascript"">(window.StackifySettings \|\| (window.StackifySettings = {0}))</script><script src=""{1}"" data-key=""{2}"" async></script>",`
`55`		`- settings.ToString(Formatting.None), rumScriptUrl, rumKey);`
	`55`	`+ // generate nonce for strict CSP rules`
	`56`	`+ var nonceBytes = new byte[20];`
	`57`	`+ Rng.GetNonZeroBytes(nonceBytes);`
	`58`	`+ var nonce = Convert.ToBase64String(nonceBytes);`
	`59`	`+`
	`60`	`+ return string.Format("<script type=\"text/javascript\" nonce=\"{3}\">(window.StackifySettings \|\| (window.StackifySettings = {0}))</script><script src=\"{1}\" data-key=\"{2}\" async></script>",`
	`61`	`+ settings.ToString(Formatting.None), rumScriptUrl, rumKey, nonce);`
`56`	`62`	`}`
`57`	`63`	`}`
`58`	`64`	`}`