Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use OWIN instead of HttpModule #1

Open
dawoe opened this issue Mar 30, 2018 · 4 comments
Open

Use OWIN instead of HttpModule #1

dawoe opened this issue Mar 30, 2018 · 4 comments

Comments

@dawoe
Copy link

dawoe commented Mar 30, 2018

This week I was researching on how to generate a nonce for my inline script/css block to avoid the use of unsafe-inline and unsafe-eval

I came across this article that uses Owin to do that : https://vcsjones.com/2014/12/17/content-security-policy-nonces-in-asp-net-and-owin/

Maybe this can be used. This would allow for a nonce as well from your package.

Umbraco already has a Owin startup class defined in the web.config

So i guess it would be a matter of inheriting that one and updating the web.config with yours.

Dave
@steroberts89
Copy link

@dawoe I'm not currently 100% happy with the way Umbraco is doing the OWIN startup at the moment, because there are scenarios where things get quirky,

Your example for instance, where you have your own startup class which is inheriting from UmbracoDefaultOwinStartup, you would have to inherit from our OwinStartup class. that is doable, but it adds complexity.

Now say there were two packages which you wanted to use which inherited from the base OwinStartup, you would have to download the sourcecode of one of them, add a reference to the other package and then change the inheritance and build up a chain of inheritance from PackageA : Package B : OwinStartup
Plus then there is the issue with ordering. PackageA Might need to be before PackageB, But maybe packageB also needs to be loaded before PackageA!

And down the line, if someone is maintaining a site with that implementation and not aware of it. Someone will be scratching there head and going in circles trying to figure things out!

What we could do to fix this is for it to become standard for everyone to have their own OwinStartup class within their sites and for package developers to expose helpers which configures their bits (much like MVC with the Global.asx where you configure routing etc in one place)

@dawoe
Copy link
Author

dawoe commented Apr 3, 2018

But that scenario also is valid for HttpModules. If somebody has their own HttpModules adding one can break the site as well.

I think somethings need to be changed in core to taclke these kind of scenario's.

Maybe it's time that @PeteDuncanson creates a new issue ;-)

@PeteDuncanson
Copy link
Member

What is this? Voice activated issue creating? I'm not a robot you know!

Issues created: http://issues.umbraco.org/issue/U4-11169

:)

@naepalm
Copy link
Contributor

naepalm commented Apr 3, 2018

Adding an HttpModule for the site + this one shouldn't break it, unless you're trying to use two different ones to add Content-Security-Policy headers. Which I'd recommend against ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dawoe @PeteDuncanson @steroberts89 @naepalm