Calling all developers! We invite you to provide your input on Feature Experimentation by completing this brief survey.
Calling all developers! We invite you to provide your input on Feature Experimentation by completing this brief survey.
I have solved it in the "dirty" way above.
In case someone wants to know how, here's also the missing ReplaceQuickNavigatorScriptWithNonceScript which uses HtmlAgilityPack:
private static IHtmlString ReplaceQuickNavigatorScriptWithNonceScript(IHtmlString originalEpiServerScript)
{
ICspConfiguration cspConfig = ServiceLocator.Current.GetInstance<ICspConfiguration>();
if (!Feature<SwitchContentSecurityOptimizations>.Is().Enabled || !cspConfig.IsCspScriptNonceEnabled)
{
return originalEpiServerScript;
}
INonceProvider nonceProvider = ServiceLocator.Current.GetInstance<INonceProvider>();
HtmlDocument doc = new HtmlDocument();
doc.LoadHtml(originalEpiServerScript.ToHtmlString());
IEnumerable<HtmlNode> relevantScriptTags = doc.DocumentNode.Descendants("script")
.Where(script => script.Attributes["nonce"] == null &&
(script.Attributes["src"] != null || !string.IsNullOrWhiteSpace(script.InnerText)));
foreach (HtmlNode script in relevantScriptTags)
{
script.Attributes.Add("nonce", nonceProvider.CspScriptNonce);
}
return new HtmlString(doc.DocumentNode.OuterHtml);
}
Hello guys,
i have a question regarding CSP unsafe-inline of RenderEPiServerQuickNavigator.
It renders script like this:
How can i add a nonce value to the inline script to avoid csp violation? The only way i see is using string replace.
Pseudo code:
Regards,
Tim