Not sure how he's dealt with those issues, but maybe check out Mark Stott's Stott.Security.Optimizely add-on for inspiration?
https://world.optimizely.com/blogs/mark-stott/dates/2024/5/stott-security-version-2-so-far/
I wish you well on your CSP journey :D
We 'catch' the output of the code that injects scripts and replace-in the nonce.
So for the navigator we have this in our _Layout.cshtml:
@{
var optiNav = (await Html.RenderEPiServerQuickNavigatorAsync()).InsertNonce();
}
@Html.Raw(optiNav)
And similarly we apply this to the header output of IClientResourceService to inject it for the AI script.
The InsertNonce method is a custom helper method that injects the nonce generated by the Jhoose security addon:
private static readonly Injected<ICspProvider> _cspProvider;
public static string InsertNonce(this IHtmlContent content)
{
var nonceValue = _cspProvider.Service.GenerateNonce();
var htmlString = GetHtmlString(content); // get raw html from IHtmlContent
var result = htmlString
.Replace(" nonce ", " ")
.Replace(" nonce>", " >")
.Replace("<script ", $"<script nonce=\"{nonceValue}\" ")
.Replace("<script>", $"<script nonce=\"{nonceValue}\">");
return result;
}
Open to a less awkward way of doing this.
If you add CSP, you need to make sure to also enable it for client/template resources https://docs.developers.optimizely.com/content-management-system/docs/content-security-policy#bring-your-nonce
Hey EJ,
maybe it's not relevant but it doesn't harm to mention:
- do know that AppInsights could be added already through EPiServer.CloudPlatform.Cms -> AddCmsCloudPlatformSupport(), probably in your startup.cs
- there are scenarios where the app insights script is injected automatically. Mainly CMS 11 where it is controlled through the env variable APPINSIGHTS_JAVASCRIPT_ENABLED)
More info:
- https://docs.developers.optimizely.com/digital-experience-platform/docs/consumption-metrics#client-telemetry
- https://dev.to/gkarwchan/everything-you-need-to-know-about-telemetry-and-instrumentation-your-aspnet-application-on-azure-49jn
We needed to disable auto-injection (through opti support) as it injected the script in some static HTML files which broke some blazor web assembly functionality.
bye!
Hi,
We have implemented Content Security Policy for our site and boy what a cumbersome process. We have created a middleware that whitelists third party scripts and for inline-scripts we use nonce. But, Application Insights is injected inline and i cant add a nonce to that script and hence it will be blocked.
Is there a way I can insert the AI script my self with a nonce valuje instead of magically retrieving it from DXP?
Also, for the Episerver QuickNavigator addon, can i somehow find and add a nonce to this as well without using unsafe-inline which defeats the entire purpose of CSP.
I've been struggling together with Github Copilot for a while now, not finding a solution.