Nonce not working in asp.net core mvc

[Ephaltes]

Hi

I followed your guide on the readme but I cant get the nonce to work, unsafe inline is working fine.

I have created a testproject where I add the

services.AddCsp(nonceByteAmount: 32);
in the configureservices section and the

app.usecsp in the Configure section with .AddNonce()

added the taghelper in the viewimport

and added the asp-add-nonce="true" to the script tag.
It also get the auto completion for that tag.

but when i start the website i get an error that it violates the csp rules because the inline doesnt have a nonce.

I added the nonce in the index.cshtml

here the testproject to download : https://www.dropbox.com/sh/9ykavf5c0kik6j7/AABNY-Tsnm8WK3tftgw7lj9Sa?dl=0

[GeordieStew]

Same issue here.

[juunas11]

Okay, I'll try to have a look at it at some point.

[GeordieStew]

Cheers. Also, unrelated. Tried in aspnet core 3.0 and not getting the auto completion.

[bennycoomans]

I have the same issue. The nonce worked correctly in our project when it was a netcoreapp2.2, but after upgrading to a netcoreapp3.0 the `asp-add-nonce="true"' attributes are no longer replaced by the actual nonce value.

If you need a sample project (I would need to create one since our project is a private project), let me know.

[juunas11]

I've published version 3.0.0 on Nuget now that should fix the issues. I had to update some of the dependencies related to Razor to get it to work, similar to this other issue: Shazwazza/Smidge#89. Try it out and see if your issue is solved, the sample app started functioning once I did those updates.

[bennycoomans]

Thanks, my issue is indeed resolved after using version 3.0.0.

[goekboet]

I have this problem still. My project is asp.net core 2.2 and using the 3.0.0 version of this library. The script tag ends up like <script nonce="">. I can verify the nonce service is working but the attribute is never filled in.

[juunas11]

@goekboet Okay that sounds odd. Keep in mind that 2.2 will be out of support in a few weeks though.

[goekboet]

Yes. I realized a bit later that chrome the attribute renders with edge but not with chrome. I'm looking into why this is but it's probably not anything to do with this library. The attribute renders as empty string even though I hard code it in chrome.

[MikeK93]

@goekboet, I had a similar issue, however, after some research, I found this Stackoverflow answer which says

That is, the DOM inspector will show no value for the nonce attribute on that script element.

More accurately: you’ll see no value for the nonce attribute on that script if the doc is served with a Content-Security-Policy header, and the browser is applying the policy in that header.

If you don’t serve the doc with a Content-Security-Policy header, or browsers don’t apply the policy from it, you’ll see nonce=DhcnhD3khTMePgXw for the script element in the inspector.

So the lack of a value for that nonce attribute in the DOM inspector actually indicates that things are working as expected. That is, it indicates the browser is checking the value for a match against any nonce-* source expressions in the Content-Security-Policy header.

The way it works inside browsers is: browsers move the nonce attribute’s value to an “internal slot” for the browser’s own use. So it stays available to the browser, but hidden from the DOM.

[juunas11]

I think I hit that one as well during development; confused the heck out of me.. It might be a security thing so another script etc. could not copy it?