-
Notifications
You must be signed in to change notification settings - Fork 604
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a nonce option and Render testing #465
Conversation
...and go ahead and update release notes in general.
@@ -46,7 +46,7 @@ | |||
@RenderSection("scripts", required: false) | |||
|
|||
@* Simple options are exposed...or make a full options class for customizing. *@ | |||
<mini-profiler position="@RenderPosition.Right" max-traces="5" color-scheme="ColorScheme.Auto" /> | |||
<mini-profiler position="@RenderPosition.Right" max-traces="5" color-scheme="ColorScheme.Auto" nonce="45" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that nonce is supposed to be random on every page load, I'm not sure it makes sense to have it as an attribute on mini-profiler
? Would the intention instead be to use something like @NonceSource.GetNonce()
?
As far as documentation / samples go, what is the story for "I want to inform miniprofiler about a nonce that comes from some piece of middleware?" The middleware shoves it in the context somewhere and it gets pulled in here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct - you'd pass in a unique value. Even putting say a <Func<HttpContext, string>
is complicated due to the different primitives with .NET vs. .NET Core...maybe when we can drop .NET Full Framework support one day that gets easier since there's no common ancestor need.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh sorry misread the second part - there's no built-in middleware story I can think of that makes sense here. The problem is generally you want MiniProfiler to profile the things you're doing and we have an order inversion problems with dependencies about the middleware doing it. Either direction we choose would be wrong for some subset of users. At least in v1, I'd want to leave it up to the users to handle their nonce generation.
@@ -82,6 +82,10 @@ public static class Render | |||
{ | |||
sb.Append(" data-start-hidden=\"true\""); | |||
} | |||
if (renderOptions?.Nonce.HasValue() ?? false) | |||
{ | |||
sb.Append(" nonce=\"").Append(renderOptions.Nonce).Append("\""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I see that sb
contains other markup elements, (line 114) it is presumed that it's contents are HtmlSafe
? Is there any concern that Nonce
is an XSS point, or at least requires some escaping?
Alternatively, what about simply rendering the incorrect thing? If a nonce is supposed to be random and someone's nonce generator uses the printable ascii range (0x20-0x7F), &
, "
, etc. could feasibly end up breaking rendering if this isn't escaping like I am concerned about.
Is it assumed that the caller will do the escaping for miniprofiler?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doh, absolutely - this was the first text thing a user can pass and definitely needs encoding, total goof. Updated (and added a few tests for these cases).
This is a user-passed string, do the right thing here.
@vcsjones if time allows, mind taking one more peek please? |
@vcsjones Thanks! |
Fix for #393, allows passing a nonce through the new
RenderOptions
API added in #451.Also a minor optimization for async...we don't need that attribute value for any browser that'll support us today.