'nonce' attribute of <mini-profiler /> taghelper does not work for stylesheet include #560
Comments
d-gibbs
changed the title
d-gibbs
changed the title
NickCraver
pushed a commit
that referenced
this issue
Jul 3, 2021
This propagates the `nonce` attribute to the generated <link> element as it should for proper CSP handling.
NickCraver
added a commit
that referenced
this issue
Jul 3, 2021
|
Just pushed a fix for this - it'll be on the CI feed in a few minutes (see README), and likely on NuGet next week :) |
|
Any plan to release a new nuget package ? This is still not released apparently https://miniprofiler.com/dotnet/Releases |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm using MiniProfiler.AspNetCore.Mvc v4.2.1 and attempting to set a nonce on the tag helper like so:
<mini-profiler nonce="@Html.CspScriptNonce()" />I'm finding that the nonce is correctly being set on the
<script />includes file (trimmed):<script async id="mini-profiler" src="/mini-profiler-resources/includes.min.js?v=4.2.1+b27bea37e9" data-version="4.2.1+b27bea37e9" data-path="/mini-profiler-resources/" data-authorized="true" nonce="YkvcvTp1dLG5AR1UaZvrOO0c"></script>But not for the stylesheet:
<link rel="stylesheet" type="text/css" href="/mini-profiler-resources/includes.min.css?v=4.2.1+b27bea37e9">Which then results in a bunch of CSP violations:
Is there a way that we can ensure the nonce gets applied to the MiniProfiler stylesheet include? At the moment it seems like the only option is to enable unsafe-inline for style-src which is not desireable.
The text was updated successfully, but these errors were encountered: