steroberts89
commented
6 years ago @dawoe I'm not currently 100% happy with the way Umbraco is doing the OWIN startup at the moment, because there are scenarios where things get quirky,
Your example for instance, where you have your own startup class which is inheriting from UmbracoDefaultOwinStartup, you would have to inherit from our OwinStartup class. that is doable, but it adds complexity.
Now say there were two packages which you wanted to use which inherited from the base OwinStartup, you would have to download the sourcecode of one of them, add a reference to the other package and then change the inheritance and build up a chain of inheritance from PackageA : Package B : OwinStartup Plus then there is the issue with ordering. PackageA Might need to be before PackageB, But maybe packageB also needs to be loaded before PackageA!
And down the line, if someone is maintaining a site with that implementation and not aware of it. Someone will be scratching there head and going in circles trying to figure things out!
What we could do to fix this is for it to become standard for everyone to have their own OwinStartup class within their sites and for package developers to expose helpers which configures their bits (much like MVC with the Global.asx where you configure routing etc in one place)
dawoe
PeteDuncanson
naepalm
This week I was researching on how to generate a nonce for my inline script/css block to avoid the use of unsafe-inline and unsafe-eval
I came across this article that uses Owin to do that : https://vcsjones.com/2014/12/17/content-security-policy-nonces-in-asp-net-and-owin/
Maybe this can be used. This would allow for a nonce as well from your package.
Umbraco already has a Owin startup class defined in the web.config
So i guess it would be a matter of inheriting that one and updating the web.config with yours.
Dave