Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add Nonce support for other HTML elements that might have an inline style element

See original GitHub issue

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' *.cloudflare.com *.disquscdn.com *.googleapis.com *.buttercms.com *.googleusercontent.com 'nonce-Tz8sqHeAjtkqmJZxqciT/YJzmu27Nqr7Y2WPwJMT+Cs='". Either the 'unsafe-inline' keyword, a hash ('sha256-U9tCTcgKy8M4xindppgbF+UxDlhaFqd2U2zGu0s19ik='), or a nonce ('nonce-...') is required to enable inline execution.

The Tag Helper doesn’t apply the nonce to the following (among others)

<div background-image: url(@Html.GetResizedImageUrl(Model.FeaturedImage, 1200, 250, FitType.Crop));" asp-add-nonce="true"><!-- stuff --></div>

Issue Analytics

State:
Created 5 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

hades200082commented, May 24, 2018

No problem - it’s a great library.

These might be good options to add too… and very simple 😃

context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");

0reactions

juunas11commented, May 23, 2018

Thanks a lot for using the library and taking the time to report this though 😃