Dynamic scripts with CSP (Content Security Policy)

An ASP.NET WebForms project adds several scripts to the page on the fly. Since these scripts don’t exist in the compile time, how to whitelist these dynamic scripts with CSP?

The title and the first paragraph may sound pretty abstract. Let’s look at the fundamentals first.

Are you receiving “Custom JavaScript is not allowed” error? Check this post out.

What is CSP (Content Security Policy)?

CSP is an HTTP header that we use to prevent cross site scripting (XSS) and packet sniffing attacks. Long story short: By using CSP header, we tell the browser which scripts or other resources we trust. The browser executes these resources and ignores the rest.

Here is an example CSP header:

object-src 'none';  script-src 'nonce-{random}' 'unsafe-inline'

As mentioned in this article, this header means:

object-src 'none' Prevents fetching and executing plugin resources embedded using <object>, <embed> or <applet> tags. The most common example is Flash.

script-src nonce-{random} 'unsafe-inline' The nonce directive means that <script> elements will be allowed to execute only if they contain a nonce attribute matching the randomly-generated value which appears in the policy.

Note: In the presence of a CSP nonce the unsafe-inline directive will be ignored by modern browsers. Older browsers, which don’t support nonces, will see unsafe-inline and allow inline scripts to execute.

For more information about CSP:

If the browser blocks a resource because it doesn’t comply with CSP, you will see this error in browser logs:

Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self'”. Either the ‘unsafe-inline’ keyword, a hash, or a nonce is required to enable inline execution.

Dynamic scripts with CSP

How to prevent executing dynamic scripts with CSP?

Using unsafe-inline removes the error above (“Refuse to execute inline script“). However, it is not a secure way of whitelisting dynamically created scripts.

script-src 'self' 'unsafe-inline'

Other than using unsafe-inline, it doesn’t seem like there is another way to whitelist dynamic scripts with CSP. There are a few open questions below if you want to keep posted about future updates on this topic.

PageMethods is not working (Solved)

PageMethods is a JavaScript class that you can use to call a server-side function. It’s basically an AJAX call which works asynchronously. In .NET world, you can use PageMethods to call a C# code-behind function. If you think that PageMethods is not working no matter what you do, keep reading.

For PageMethods to work, you need a JavaScript function on the client-side and a WebMethod function on the server-side.

Sample JavaScript code (Put it in asp:content section of Default.aspx):

<script type="text/jscript">

   function callCodeBehind() {
		PageMethods.GetMessage("test string", onSuccess, onFailure);
	}

   function onSuccess(result, usercontext, methodname) {
	   alert(result)
   }

   function onFailure(error, usercontext, methodname) { alert("failed: "+ error.get_message()); }

</script>

Sample C# code (code-behind file – Default.aspx.cs):

public partial class Welcome : System.Web.UI.Page
{
	protected void Page_Load(object sender, EventArgs e)
	{

	}

	[WebMethod]
	protected static void GetMessage(string val)
	{
		return "doingit";
	}
}

A button to call the JavaScript function (in Default.aspx)

<button onclick="callCodeBehind()">Click me</button> 

ScriptManager (in Site.Master – note that EnablePageMethods is set to True):

<asp:ScriptManager ID="ScriptManager1" runat="server" EnablePageMethods="True">
</asp:ScriptManager>

Having issues with your AJAX call as part of Google reCAPTCHA implementation? Check this post out.

What to do if PageMethods is not working

If you have the code above, your project should be working. In exceptional cases, you may not receive the return value. In my case, the issue was the post-back that was happening after clicking the button.

The reason behind the post-back was that friendy URL setting. As soon as I disabled it, my PageMethods function started working.

In order to disable friendly URL feature, remove or comment out the line below in your RouteConfig file.

routes.EnableFriendlyUrls(settings)
Solved PageMethods is not working issue
Successfully returned the value

Are you losing data after a post-back? Here is what to do.

References:

Cannot perform CAS Asserts in Security Transparent methods (Solved)

You may come across this error message while trying to use a third-party library in your .NET application: “Cannot perform CAS Asserts”. As the message implies, this issue is about the security mechanism that protects your system from unreliable components.

Here is the entire error message:

System.InvalidOperationException: Cannot perform CAS Asserts in Security Transparent methods

What is CAS (Code Access Security)?

CAS is a security mechanism provided by .NET Framework to protect your system against malicious code blocks and components.

The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS).

Microsott Docs

Why we need CAS?

Users obtain code from many sources, some of which might be unreliable; code can contain bugs or vulnerabilities that enable it to be exploited by malicious code; and code sometimes does things that the user does not know it will do. As a result, computer systems can be damaged and private data can be leaked when cautious and trustworthy users run malicious or error-filled software.

Microsott Docs
How to solve "Cannot perform CAS Asserts" error
Slide source

Root Cause

The reason you receive “Cannot perform CAS Asserts” error is that your application is trying to use an external library that is not trusted by CAS. It happens especially when you upgrade .NET Framework version in your development machine. In this case, you should update your code as per the new CAS requirements come with the new .NET Framework version.

For more information about major CAS changes in .NET Framework 4.0: Link 1, link 2

Receiving Schannel 10013 error? Check this post out.

How to solve “Cannot perform CAS Asserts” error

Solution 1: Full-trust

Making your application a “full-trust” application solves this issue unless the application is marked as security-transparent. However, many hosting companies don’t allow applications run on “full-trust”.

Solution 2: GAC

Another way to solve this issue is that adding the external DLLs into GAC (Global Assembly Cache) by using Gacutil.exe. Check this article out for instructions to install an assembly into GAC. Gacutil.exe comes with Windows SDK and Visual Studio.

Solution 3: Code changes

Changing your application’s code and making it compatible with the new CAS implementations is the best solution in the long-term. Here is an article to guide you through the changes you should make in your code.