Nonce value not being added

GeekInTheNorth / Stott.Security.Optimizely

A CMS Administration interface for managing security headers for Optimizely CMS Traditional and Hybrid builds.

MIT License

4 stars 1 forks source link

Nonce value not being added #245

Closed adayinthelifeofapro closed 1 month ago

adayinthelifeofapro commented 1 month ago

When using the following helper tags:

<link nonce asp-href-include="~/static/css/*.css" rel="stylesheet" />
<script nonce asp-src-include="~/static/js/*.js" type="text/javascript"></script>

The nonce values when viewing the rendered page source look as follows:

<link nonce rel="stylesheet" href="/static/css/bundle.css" />

<script nonce type="text/javascript" src="/static/js/all.js"></script>
<script nonce type="text/javascript" src="/static/js/bundle.js"></script>

GeekInTheNorth commented 1 month ago

Hi @adayinthelifeofapro

Can you confirm that you have the following line in your _ViewImports.cshtml

@addTagHelper *, Stott.Security.Optimizely

Obviously you're using the built in C# tag helper, theoretically both tag helpers should get used. I'll see if I can reproduce the issue.

GeekInTheNorth commented 1 month ago

@adayinthelifeofapro Also the order of the registered tag helpers can affect this, it might be worth checking the order in which they are applied.

adayinthelifeofapro commented 1 month ago

@GeekInTheNorth I can confirm that I have added the tag helper as specified in the documentation, my _ViewImports.cshtml is quite basic and looks like this.

GeekInTheNorth commented 1 month ago

@adayinthelifeofapro Turns out a simple order property fixes that on the NonceTagHelper. HF 2.8.1 is incoming.

adayinthelifeofapro commented 1 month ago

@GeekInTheNorth many thanks for sorting so quickly, I have just installed 2.8.1 and can confirm that the nonce values are now being added to the tags 👍