How to Configure the Nonce Attribute for Bold-script-manager in Bold Reports

The Nonce attribute is typically used with the <script> tag in HTML to enforce a Content Security Policy (CSP) on inline scripts. It is not a general attribute that can be used with any HTML element. The purpose of the nonce attribute is to specify a cryptographic nonce (a number used once) that is included in the script element’s nonce attribute and also in the CSP header of the server response. This allows the browser to validate that the script being executed matches the expected nonce value, helping to mitigate cross-site scripting (XSS) attacks. Here are the steps to configure the “nonce” attribute:

1. In the Layout.cshtml file, add the add-nonce attribute to the bold-script-manager element as follows.

  <bold-script-manager add-nonce="@Context.Items["ScriptNonce"]"></bold-script-manager>

This attribute will dynamically set the nonce value for the bold-script-manager element.

2. In the Startup.cs file, import the System.Security.Cryptography namespace, and inside the Configure method, add the following code sample.

using System.Security.Cryptography;

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.Use(async (context, next) =>
    {
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        byte[] nonceBytes = new byte[32];
        rng.GetBytes(nonceBytes);
        string nonceValue = Convert.ToBase64String(nonceBytes);
        context.Items.Add("ScriptNonce", nonceValue);
        await next();
    });

}

This code sets up middleware that generates a random nonce value for each incoming request and adds it to the Context.Items collection with the key ScriptNonce. The RNGCryptoServiceProvider class generates a cryptographically secure random value.

By following these steps, the bold-script-manager element in your application will dynamically have the nonce attribute set, ensuring compliance with Content Security Policy (CSP).