How to implement strict-dynamic in c# project

As of my last update in September 2021, the Content Security Policy (CSP) level 3 includes the strict-dynamic directive, which allows the execution of dynamically created scripts while still blocking inline scripts and the eval() function. This directive enhances security by providing a mechanism to use dynamically created scripts from trusted sources without resorting to inline scripts or eval().

To implement the strict-dynamic directive in a C# project, you need to set the appropriate CSP header in your web application’s HTTP responses. Since you mentioned a C# project, I’ll assume you are using ASP.NET Core. Here’s how you can implement it:

Install the required NuGet package: You’ll need the Microsoft.AspNetCore.Http package to work with HTTP headers.

Install-Package Microsoft.AspNetCore.Http

In your ASP.NET Core project, open the Startup.cs file.
Inside the ConfigureServices method, register the ContentSecurityPolicy service:

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;

namespace YourAppName
{
    public class Startup
    {
        public void ConfigureServices(IServiceCollection services)
        {
            // Other service configurations

            // Register the ContentSecurityPolicy service
            services.AddContentSecurityPolicy();
        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            // Other middleware configurations

            // Use the Content-Security-Policy middleware
            app.UseContentSecurityPolicy();

            // Other middleware configurations
        }
    }
}

In your project, create a new class for the ContentSecurityPolicyMiddleware:

using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;

namespace YourAppName.Middleware
{
    public class ContentSecurityPolicyMiddleware
    {
        private readonly RequestDelegate _next;

        public ContentSecurityPolicyMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task Invoke(HttpContext context)
        {
            // Define the CSP header with strict-dynamic
            var cspDirective = "default-src 'self'; script-src 'strict-dynamic' 'self' trusted-scripts.example.com;";

            // Set the Content-Security-Policy header
            context.Response.Headers.Add("Content-Security-Policy", cspDirective);

            // Call the next middleware in the pipeline
            await _next(context);
        }
    }
}

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;

namespace YourAppName
{
    public class Startup
    {
        // ...

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            // ...

            // Use the ContentSecurityPolicyMiddleware
            app.UseMiddleware<ContentSecurityPolicyMiddleware>();

            // ...

            app.UseRouting();

            // ...
        }
    }
}

Now your ASP.NET Core application should be sending the Content-Security-Policy header with the strict-dynamic directive, allowing the execution of dynamically created scripts from the same origin while blocking inline scripts and the eval() function. Adjust the cspDirective variable in the ContentSecurityPolicyMiddleware class to match your desired CSP policy.