Make Umbraco "Nonce-ready" for Content Security Policy headers #11565
craigs100
started this conversation in
Features and ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
As I'm just going through the pain of retro-fitting a nonce-based Content Security Policy, it occurred to me that it could be a nice selling point for the security credentials of Umbraco if we had the ability to switch on a Nonce generator that could either (or both!) add nonces to script tags that Umbraco generates and have an property of a commonly available method to allow devs (and maybe editors) to add a nonce to a manually coded script tag. It should be possible for any script tags in textareas, RTEs, Grids, etc. to have the nonce added in automatically. It could also generate a bare bones CSP header as well in whatever Umbraco uses as an httpmodule/reponse.filter. Google Lighthouse seems to mark you down if you don't use Nonces or Hashes. I personally think nonces are easier to use but others may disagree. The noncing could be switched on/off in config, probably defaulting to "off".
Anyone else of a similar mind?
Beta Was this translation helpful? Give feedback.
All reactions