CSP Level 3 Support - Nonce on all scripts

[Jeavon]

Which Umbraco Forms version are you using? (Please write the exact version, example: 13.4.0)

17.0.1

Which Umbraco version are you using? (Please write the exact version, example: 13.5.2)

17.0.0

Issue summary

It should be easy to add add a nonce to all scripts rendered by UmbracoForms when requiring CSP Level 3 compliance. Currently this is possible but it's overly complicated.

Specifics

It should be easy to add add a nonce to all scripts rendered by UmbracoForms when requiring CSP Level 3 compliance. Currently this is possible but it's overly complicated.

Different implementations may be generating their nonce in different ways so I propose a interface that a implementor can use with their own provider, e.g. INonceProvider interface in Umbraco Forms.

public interface INonceProvider
{
    string? GetNonce();

Example using NetEscapades for Nonce generation

public class NetEscapadesNonceProvider : INonceProvider
{
    private readonly IHttpContextAccessor _httpContextAccessor;

    public NetEscapadesNonceProvider(IHttpContextAccessor httpContextAccessor)
    {
        _httpContextAccessor = httpContextAccessor;
    }

    public string? GetNonce()
    {
        var httpContext = _httpContextAccessor.HttpContext;
        if (httpContext == null)
        {
            return null;
        }
        return httpContext.GetNonce();
    }
}

and then

builder.Services.AddSingleton<INonceProvider, NetEscapadesNonceProvider>();

Additionally for externally hosted scripts RenderFormScripts should not append the v= querystring when rendering those script tags.

Steps to reproduce

Implement NetEscapades CSP with strict-dynamic on the script-src policy and render Umbraco Forms.

Expected result / actual result

All script tags should carry the nonce provided. Scripts loaded from external/cdn sources shouldn't have additional querystrings appended.

[Amalie-Wowern]

Thank you for raising this.
I will move this to Discussions as it is a feature request.