how to add Script tag nonce in ScriptResource.axd which generated by asp.net form

Li Shi Quan (NCS) 6 Reputation points
2023-02-09T10:13:02+00:00

To resolve the old application security finding by enable Content Security Policy. the old app was using asp.net form, some pages with Control asp:ScriptManager and asp:UpdatePanel, when page load it will auto loading some scripts component inside ScriptResource.axd. some JS inside cannot execute without unsafe-inline in script-src. how to add nonce to allow all Script inside ScriptResource.axd able to execute?

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,507 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Li Shi Quan (NCS) 6 Reputation points
    2023-02-14T01:57:51.1866667+00:00

    take GirdView as sample.

    source code is like below.

    <form id="form1" runat="server">
            <div>
                <asp:ScriptManager runat="server"></asp:ScriptManager>
                <asp:UpdatePanel runat="server">
                    <ContentTemplate>
                        <asp:GridView ID="GridView1" runat="server" OnRowDataBound="GridView1_RowDataBound">
                            <Columns>
                                <asp:TemplateField>
                                    <ItemTemplate>
                                        <%# Eval("name") %>
                                    </ItemTemplate>
                                </asp:TemplateField>
                                <asp:TemplateField>
                                    <ItemTemplate>
                                        <asp:ImageButton runat="server" ID="itemDelete" staffname='<%# Eval("name") %>' OnClientClick='<%# Eval("name", "Close(\"Delete the record {0}?\");")%>'></asp:ImageButton>
                                    </ItemTemplate>
                                </asp:TemplateField>
                            </Columns>
                        </asp:GridView>
                    </ContentTemplate>
                </asp:UpdatePanel>
            </div>
        </form>
    

    after page Load, some of <script src="/WebResource.axd?d=..."/> or <script src="/ScriptResource.axd?..."/> will auto generated with out nonce tag. how to add nonce tag in these "script" tags?

    
    
        <form method="post" action="./girdview.aspx" id="form1">
    <div class="aspNetHidden">
    <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
    <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
    <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="..." />
    </div>
    
    <script type="text/javascript">
    //<![CDATA[
    var theForm = document.forms['form1'];
    if (!theForm) {
        theForm = document.form1;
    }
    function __doPostBack(eventTarget, eventArgument) {
        if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
            theForm.__EVENTTARGET.value = eventTarget;
            theForm.__EVENTARGUMENT.value = eventArgument;
            theForm.submit();
        }
    }
    //]]>
    </script>
    
    
    <script src="/WebResource.axd?d=pynGkmcFUV13He1Qd6_TZC5FY2_xsh64gZzzQn23ap9tDlFT-VMWVFcqZhZ-jZmMkw_e813C4wpyL_ctR1RWXw2&amp;t=638092287399240701" type="text/javascript"></script>
    
    
    <script src="/ScriptResource.axd?d=D9drwtSJ4hBA6O8UhT6CQqPhd2mIWpvMM35vraVdd3WP-pLnoORM22dE6XZUeaZz7k_ifIATtNlrK0Y6ozu60GLFUkcLgRi3Vza7DDY2uHfBgbgyYGdpvcw7eBEhnnOdVgJWMzvdufE0KMrDXLDHi9Qg_s8GsZ43zH1iAPvIH2g1&amp;t=d41bf5a" type="text/javascript"></script>
    <script type="text/javascript">
    //<![CDATA[
    if (typeof(Sys) === 'undefined') throw new Error('ASP.NET Ajax client-side framework failed to load.');
    //]]>
    </script>
    
    <script src="/ScriptResource.axd?d=JnUc-DEDOM5KzzVKtsL1taHLEXdmSDmWB-Qg1qxod1zo1-xs6ELeLuleiOH2KYv_JAub_8YIO57rPziorAGWYrjh9VnMBaWuK6JXmPkXZjD5ChcuXEf92cSUcx4oWR8YQgSOFIKzAI0RHwGMx4bqZha7QnFWJDz0jD_XwoeXaIDujm1aGPbjy1-9ZQNRfxYX0&amp;t=d41bf5a" type="text/javascript"></script>
            <div>
                <script type="text/javascript">
    //<![CDATA[
    Sys.WebForms.PageRequestManager._initialize('ctl02', 'form1', ['tctl03','ctl03'], [], [], 90, '');
    //]]>
    </script>
    
                <div id="ctl03">
    	
                        <div>
    		<table cellspacing="0" rules="all" border="1" id="GridView1" style="border-collapse:collapse;">
    			<tr>
    				<th scope="col">&nbsp;</th><th scope="col">&nbsp;</th><th scope="col">id</th><th scope="col">name</th>
    			</tr><tr>
    				<td>
                                        name1
                                    </td><td>
                                        <input type="image" name="GridView1$ctl02$itemDelete" id="GridView1_itemDelete_0" staffname="name1" onclick="Close(&quot;Delete the record name1?&quot;);" />
                                    </td><td>1</td><td>name1</td>
    			</tr><tr>
    				<td>
                                        name2
                                    </td><td>
                                        <input type="image" name="GridView1$ctl03$itemDelete" id="GridView1_itemDelete_1" staffname="name2" onclick="Close(&quot;Delete the record name2?&quot;);" />
                                    </td><td>2</td><td>name2</td>
    			</tr>
    		</table>
    	</div>
                    
    </div>
            </div>
        
    <div class="aspNetHidden">
    
    	<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="C583E297" />
    </div></form>
    
    1 person found this answer helpful.

  2. SurferOnWww 3,201 Reputation points
    2023-02-11T01:58:23.94+00:00

    Can the following article help?

    ASP.NET 4.5 ScriptManager Improvements in WebForms

    https://devblogs.microsoft.com/dotnet/asp-net-4-5-scriptmanager-improvements-in-webforms/


  3. QiYou-MSFT 4,321 Reputation points Microsoft Vendor
    2023-02-13T05:40:55.36+00:00

    Hi @Li Shi Quan (NCS)

    First, you can use the code in the backend to generate a random number.

    From your web server, generate a random base128-encoded string of at least 64 bits of data from cryptographically secure random number generator. Each time the page loads, the random number should be generated differently.

    const crypto = require("crypto");
    crypto.randomBytes(16).toString("base64");
    // '8IBTHwOdqNKAWeKl7plt8g=='
    

    Then add this random number in js that you can't execute.

    <script nonce="8IBTHwOdqNKAWeKl7plt8g==">
      // …
    </script>
    

    Finally, you can call script-src+random number in the CSP header to complete the call.

    Content-Security-Policy: script-src 'nonce-8IBTHwOdqNKAWeKl7plt8g=='
    

    I think the following documentation is helpful to you:

    Document1

    Document2

    Best Regards

    Qi You


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.