3

We're trying to add a Content Security Policy to a legacy application, and to not have it be too permissive.

The application uses asp.net, and, among other problems, we have a problem with event handlers that are created automatically by the framework. As these are inline and not separate script tags, we cannot allow them through a nonce or hash.

For example, we have a form with a defaultbutton, which creates the following code:

<form name="login" method="post" action="./login.aspx?logout=true" onsubmit="javascript:return WebForm_OnSubmit();" onkeypress="javascript:return WebForm_FireDefaultButton(event, 'submit')" id="login" autocomplete="off">

Is there a way to make asp.net create code that would comply to a restrictive CSP policy?

ADyson
  • 57,178
  • 14
  • 51
  • 63
Shahar Mosek
  • 1,922
  • 3
  • 17
  • 27
  • 1
    Not in WebForms, no - that markup / JavaScript is generated by internal ASP.NET framework code. WebForms is essentially a legacy tech, conceived in the days before web standards, before a lot of modern JavaScript syntax was available, before anyone really cared too much about security on the web. It just doesn't fit with current ways of doing things...you're going to struggle to do anything like this I think. – ADyson Nov 18 '19 at 13:42
  • Does this answer your question? [Add nonce attribute to auto-generated WebForms script](https://stackoverflow.com/questions/44461778/add-nonce-attribute-to-auto-generated-webforms-script) – dpant Nov 19 '19 at 19:50
  • Also: https://stackoverflow.com/questions/54095422/how-to-whitelist-dynamically-created-scripts-in-a-webforms-project-using-csp-co, https://stackoverflow.com/questions/35851651/content-security-policy-in-asp-net-webforms – dpant Nov 19 '19 at 20:03
  • @dpant - no, not really. While it works for scripts that are created in a separate tag, there appears to be no way to use hashes for inline scripts (as attributes), at least not in CSP2 (it seems CSP3 may change this). This is why I'm trying to get asp.net create the code without inlining the scripts. So basically, the answer is the same as ADyson's - there is no way to do this. – Shahar Mosek Nov 25 '19 at 08:47

0 Answers0