Login/Register
Add nonce attribute to auto-generated WebForms script
Asked Answered
asp.netwebformscontent-security-policy
H

3

11

While implementing the CSP header on my website, I am facing problems with the automatically generated postback JavaScript that webforms adds to the page:

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
    theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
    if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
        theForm.__EVENTTARGET.value = eventTarget;
        theForm.__EVENTARGUMENT.value = eventArgument;
        theForm.submit();
    }
}
//]]>
</script>

To support some other inline script tags I have successfully added the nonce attribute; however I can find no way to modify this piece of generated code to do the same thing. I have explored ClientScript.GetPostBackEventReference, but this appears to control the JavaScript within, nothing about the rendering of the <script> tag itself.

The solution does not necessarily need to involve adding the nonce attribute—anything that complies will do. For example, if there is an ASP.NET setting which can be configured to load this script as a file (which I can whitelist), that would be fine.

Heteropterous answered 9/6, 2017 at 15:38 Comment(2)
I'm having the same issue, did you ever find a solution or work around for thisHizar
@Hizar I'm afraid I didn't.Heteropterous
S
4

Good luck implementing a good CSP on ASP.NET with Webforms Scheme - WebForms controls will add a whole bunch of inline scripts like on this login button:

<a id="btnLogin" class="btn btn-info pull-right" href="javascript:__doPostBack(&#39;btnLogin&#39;,&#39;&#39;)">Login</a>

If you're not using many <asp:... controls, you might be alright.

To allow the above script you want to run, you can add this to your CSP after script-src:

sha256-uVkxb0ccirYwSBxwdr2/4qtJEH1eBw7MslAgyLdAVVY="

It lets your browser know that it should execute any script that has that sha256 hash.

The hash I've given you may not work if you're using different newlines to what I'm using (which I believe is windows style).

You should also be careful that if you don't have a page which changes the default form id to something other than "form1".

Simonsimona answered 23/4, 2018 at 12:59 Comment(0)
J
0

We had a similar issue and our solution was to precalculate SHA-256 hash for those ASP.NET scripts and add these hashes to CSP header

/*
         //<![CDATA[
         var theForm = document.forms['aspnetForm'];
         if (!theForm) {
         theForm = document.aspnetForm;
         }
         function __doPostBack(eventTarget, eventArgument) {
         if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
         theForm.__EVENTTARGET.value = eventTarget;
         theForm.__EVENTARGUMENT.value = eventArgument;
         theForm.submit();
         }
         }
         //]]>
         */
        "sha256-ATReICQsd+smV/PvrA4eH+DuxsenS4SxbGcSjySJlBA=",
         /*
         * //<![CDATA[
         * if (typeof(Sys) === 'undefined') throw new Error('ASP.NET Ajax client-side framework failed to load.');
         * //]]>
         */
        "sha256-2vr5KMButMK7a+bOf/ned/cPnF2yNooMulXA8E65wGw=",

Add these hashes to the CSP header

    string rule = $"script-src sha256-ATReICQsd+smV/PvrA4eH+DuxsenS4SxbGcSjySJlBA= sha256-2vr5KMButMK7a+bOf/ned/cPnF2yNooMulXA8E65wGw=";

        Response.AddHeader("Content-Security-Policy", rule);
Jandel answered 12/5, 2021 at 13:19 Comment(0)
N
0

My solution to this was to grab the script code and put it in a section that was secured. Afterwards, I just ignored the error because the code would run the one in the secure area and ignore the one that wasn't secured.

Nomadize answered 15/9, 2022 at 21:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.