CSP policy nonce configured and generated on startup

Question

CSP policy nonce configured and generated on startup

Opened this issue 5 years ago · 0 comments

I'm using these library versions:

ReactJS.NET: 5.2.11
JavaScriptEngineSwitcher: 3.1.8

Runtime environment:

OS: Windows
.NET Framework or .NET Core Version: .NET Core 3.1

I was looking in the documentation how to enable nonce inside ReactJs.NET and I found that it can be only configured during the startup of application similar to following code

      config
	.SetReuseJavaScriptEngines(true)
	.SetLoadBabel(false)
	.SetLoadReact(false)
	.SetReactAppBuildPath("~/dist")
        .SetScriptNonceProvider(nonceGeneratorService.GetNonce);

I have also written a middleware that injects CSP policy for every request and calls nonceGeneratorService.GetNonce to fetch the value of the nonce for that request. This works fine for my other projects because service is injected as scoped.

However to make this work with ReactJs.NET I have injected nonceGeneratorService as a singelton which means that nonce will be same for every reqeust until service is restarted.

Is there a possibility to achieve this with nonce being generated per request and not during startup?