We have been asked to implement Content-Security-Policy to mitigate XSS attacks on our App. As result we need to move all inline scripts to referenced files, which could then be specified as safe in the Content-Security-Policy HTTP headers.
This has mostly been doable, however it now seems that some webcontrols ie webforms inject inline scripts to do callbacks.
Is there a way around this or do we need to use 3rd party controls or possibly create custom controls?
There are 2 technologies for developing web applications in ASP.NET:
ASP.NET MVC makes a separation between the user interface and the code (application logic and presentation logic). It has full control over the generated HTML code, generates pure HTML code, so you can use 'nonce-value' to allow inline scripts '' and inline styles <style>.
ASP.NET WebForms has a user interface logic that is closely related to the code, and it is difficult to separate it from it, so scripts and styles are uncontrollably embedded in the generated HTML code.
When using the WebForms, you can use '<hash-algorithm>-<base64-value>', but the hash values will depend on the deployment environment. Nonces are not applicable directly, but you can use a trick - to override the __doPostBack or HtmlTextWriter methods - please see details here.
