Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy with nonce prevents Application Insights javascript running #2275

Closed
boat-priyanka-agrawal opened this issue May 21, 2021 · 4 comments
Closed

Content Security Policy with nonce prevents Application Insights javascript running #2275

boat-priyanka-agrawal opened this issue May 21, 2021 · 4 comments
Labels
question

Comments

@boat-priyanka-agrawal
Copy link

  • Using Microsoft.ApplicationInsights.Web package version 2.17.0
  • Runtime version- .net471,
  • Hosting environment - Azure Web App

Hi,
We are enabling CSP with nonce attribute on our website, but it is preventing Application insights javascript from running.
To solve that, I am looking into how to get the AI script and add to the header of it the Nonce Code I put in the Content-Security-Policy.

This issue - #1443 is similar to what I am trying, but this is for asp.net core.
Is there a way to get the Javascript snippet (that Application Insights injects on the page) and replace the script tag with nonce for asp.net?
@jordansjones
Copy link

jordansjones commented May 21, 2021
edited
Loading

@boat-priyanka-agrawal in my project I have overcome this issue by referencing the NWebsec.AspNetCore.Mvc.TagHelpers package and I use it like so:

@* Output Application Insights JavaScript telemetry collection *@
<script nws-csp-add-nonce="true">
    @Html.Raw(JavaScriptSnippet.ScriptBody)
</script>

Edit: I just noticed you mentioned that this was for .net471. In that case, there is the NWebsec.Mvc package for .NETFramework projects. It also looks like there is a script nonce helper here: https://github.com/NWebsec/NWebsec/blob/bd210a1275c8266cbcc73f107e05cde0edd74993/src/NWebsec.AspNet.Mvc/HttpHeaders/Csp/CspHtmlHelpers.cs#L19

@boat-priyanka-agrawal
Copy link
Author

@jordansjones How are you getting the JavaScriptSnippet.ScriptBody ? What package are you using to get that, or have you defined it in a class of your own?

@jordansjones
Copy link

jordansjones commented May 25, 2021
edited
Loading

@jordansjones How are you getting the JavaScriptSnippet.ScriptBody ? What package are you using to get that, or have you defined it in a class of your own?

@boat-priyanka-agrawal JavaScriptSnippet.ScriptBody from my original reply is from the .NET Core assembly, which you won't be able to use, but I am not sure that matters because the NWebsec.Mvc package adds the nonce to the <script> tag and adds a corresponding value to the Content-Security-Policy http header. Then in the script tag you can just copy/paste the install instructions from the non-npm snippet setup: https://github.com/microsoft/ApplicationInsights-JS#snippet-setup-ignore-if-using-npm-setup
Or, use the Alternative Setup Method from: https://github.com/microsoft/ApplicationInsights-JS#snippet-setup-ignore-if-using-npm-setup

@boat-priyanka-agrawal
Copy link
Author

That's what we have decided to go ahead with - adding the snippet manually in the head section. Thanks @jordansjones!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jordansjones @boat-priyanka-agrawal