Skip to content

Commit f649951

Browse files
damienboddamienbod
authored
Merge pull request #57 from damienbod/dev
Improve CSP, using nonce
2 parents b3d4b9f + 6d755c2 commit f649951

File tree

5 files changed

+21
-14
lines changed

5 files changed

+21
-14
lines changed

BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,10 @@
88
</PropertyGroup>
99

1010
<ItemGroup>
11-
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.0" />
12-
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.0" PrivateAssets="all" />
11+
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.1" />
12+
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.1" PrivateAssets="all" />
1313
<PackageReference Include="Microsoft.Extensions.Http" Version="8.0.0" />
14-
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.0" />
14+
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.1" />
1515
</ItemGroup>
1616

1717
<ItemGroup>

BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,10 @@
1212
</ItemGroup>
1313

1414
<ItemGroup>
15-
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.0" />
16-
<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.0" NoWarn="NU1605" />
15+
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.1" />
16+
<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.1" NoWarn="NU1605" />
1717
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.21.0" />
18+
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
1819
</ItemGroup>
1920

2021
</Project>

BlazorBffOpenIdConnect/Server/Pages/_Host.cshtml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
@namespace BlazorBffOpenIDConnect.Pages
33
@using BlazorBffOpenIDConnect.Client
44
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
5+
@addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
56
@{
67
Layout = null;
78
}
@@ -40,8 +41,8 @@
4041
<a class="dismiss">🗙</a>
4142
</div>
4243

43-
<script src="_framework/blazor.webassembly.js" ></script>
44-
<script src="antiForgeryToken.js" ></script>
44+
<script asp-add-nonce src="_framework/blazor.webassembly.js"></script>
45+
<script asp-add-nonce src="antiForgeryToken.js"></script>
4546
@Html.AntiForgeryToken()
4647
</body>
4748
</html>

BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,15 +2,17 @@
22

33
public static class SecurityHeadersDefinitions
44
{
5-
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string idpHost)
5+
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
66
{
7+
ArgumentNullException.ThrowIfNull(idpHost);
8+
79
var policy = new HeaderPolicyCollection()
810
.AddFrameOptionsDeny()
911
.AddContentTypeOptionsNoSniff()
1012
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
1113
.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
1214
.AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
13-
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) // remove for dev if using hot reload
15+
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
1416
.AddContentSecurityPolicy(builder =>
1517
{
1618
builder.AddObjectSrc().None();
@@ -24,12 +26,9 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin
2426

2527
// due to Blazor
2628
builder.AddScriptSrc()
27-
.Self()
28-
.WithHash256("v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=")
29+
// .Self() Add this if you want to use the visual studio debugging tools
30+
.WithNonce()
2931
.UnsafeEval();
30-
31-
// disable script and style CSP protection if using Blazor hot reload
32-
// if using hot reload, DO NOT deploy with an insecure CSP
3332
})
3433
.RemoveServerHeader()
3534
.AddPermissionsPolicy(builder =>

Changelog.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,12 @@
22

33
[Readme](https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template/blob/main/README.md)
44

5+
6+
**2024-01-14** 3.0.2
7+
- Improve CSP, using nonce
8+
- updated packages
9+
10+
511
**2023-12-31** 3.0.1
612
- Open redirect protection on login
713

0 commit comments

Comments
 (0)