Add nonce to sample project for demo

samples/Samples.AspNet/Helpers/NonceService.cs

@@ -0,0 +1,20 @@
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Samples.AspNetCore
+{
+    /// <summary>
+    /// Nonce service (custom implementation) for sharing a random nonce for the lifetime of a request.
+    /// </summary>
+    public class NonceService
+    {
+        public string RequestNonce { get; } = Convert.ToBase64String(RandomNumberGenerator.GetBytes(64));
+    }
+
+    public static class NonceExtensions
+    {
+        public static string? GetNonce(this HttpContext context) => context.RequestServices.GetService<NonceService>()?.RequestNonce;
+    }
+}

samples/Samples.AspNet/Pages/RazorPagesSample.cshtml

@@ -13,7 +13,7 @@
     <partial name="Index.RightPanel" />
 </div>
 @section scripts {
-    <script>
+    <script nonce="@HttpContext.GetNonce()">
         $(function () {
             // these links should fire ajax requests, not do navigation
             $('.ajax-requests a').click(function () {

samples/Samples.AspNet/Startup.cs

@@ -44,6 +44,9 @@ public void ConfigureServices(IServiceCollection services)
                 options.SuppressAsyncSuffixInActionNames = false;
             });
 
+            // Registering a per-request Nonce provider for use in headers and scripts - this is optional, only demonstrating.
+            services.AddScoped<NonceService>();
+
             // Add MiniProfiler services
             // If using Entity Framework Core, add profiling for it as well (see the end)
             // Note .AddMiniProfiler() returns a IMiniProfilerBuilder for easy IntelliSense
@@ -110,6 +113,8 @@ public void ConfigureServices(IServiceCollection services)
                 options.IgnoredPaths.Add("/lib");
                 options.IgnoredPaths.Add("/css");
                 options.IgnoredPaths.Add("/js");
+
+                options.NonceProvider = s => s.GetService<NonceService>()?.RequestNonce;
             }).AddEntityFramework();
         }
 
@@ -128,6 +133,13 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             app.UseMiniProfiler()
                .UseStaticFiles()
                .UseRouting()
+               // Demonstrating CSP support, this is not required.
+               .Use(async (context, next) =>
+               {
+                   var nonce = context.RequestServices.GetService<NonceService>()?.RequestNonce;
+                   context.Response.Headers.Add("Content-Security-Policy", $"script-src 'self' 'nonce-{nonce}'");
+                   await next();
+               })
                .UseEndpoints(endpoints =>
                {
                    endpoints.MapAreaControllerRoute("areaRoute", "MySpace",

samples/Samples.AspNet/Views/Shared/Index.cshtml

@@ -11,7 +11,7 @@
     <partial name="Index.RightPanel" />
 </div>
 @section scripts {
-<script>
+<script nonce="@Context.GetNonce()">
     $(function () {
         // these links should fire ajax requests, not do navigation
         $('.ajax-requests a').click(function () {

samples/Samples.AspNet/Views/Shared/_Layout.cshtml

@@ -47,7 +47,7 @@
     @RenderSection("scripts", required: false)
 
     @* Simple options are exposed...or make a full options class for customizing. *@
-    <mini-profiler position="@RenderPosition.Right" max-traces="5" color-scheme="ColorScheme.Auto" nonce="45" decimal-places="2" />
+    <mini-profiler position="@RenderPosition.Right" max-traces="5" color-scheme="ColorScheme.Auto" decimal-places="2" />
     @*<mini-profiler options="new RenderOptions { Position = RenderPosition.Right, MaxTracesToShow = 5, ColorScheme = ColorScheme.Auto }" />*@
 </body>
 </html>