From fd5290869e3807b61d8128db7d9a5e1736d36b8f Mon Sep 17 00:00:00 2001
From: gchatz22 <44476526+gchatz22@users.noreply.github.com>
Date: Thu, 13 Aug 2020 17:08:27 +0300
Subject: [PATCH] Middleware and TagHelpers for CSP support in ASP.NET (#1)

Hello .NET community!

This PR adds Content Security Policy support for ASP.NET as middleware. CSP is a popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.

Summary of the changes (Less than 80 chars)

* Allow configuration of whether CSP enabled in reporting or enforcement modes.
* Allows configuration of a report URI, for violation reports sent by the browser.
* CSP middleware generates a nonce-based, strict-dynamic policy.
* Middleware adds thepolicy to HTTP responses according to the configuration.
* Custom <script> TagHelper to set nonce attribute on script blocks automatically.
* Provides a default implementation of a CSP violation report collection endpoint.
* Example app that uses our CSP middleware and corresponding basic unit tests.
* With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.

Addresses https://github.com/dotnet/aspnetcore/issues/6001

Co-authored with: Aaron Shim - aaronshim@google.com
---
 CSP/CSP.slnf                                  |  10 +
 CSP/README.md                                 |  38 +++
 CSP/src/ContentSecurityPolicy.cs              |  72 +++++
 CSP/src/ContentSecurityPolicyBuilder.cs       |  88 +++++++
 CSP/src/CspConstants.cs                       |  36 +++
 CSP/src/CspMiddleware.cs                      |  34 +++
 CSP/src/CspMiddlewareExtensions.cs            |  61 +++++
 CSP/src/CspReport.cs                          |  65 +++++
 CSP/src/CspReportLogger.cs                    | 111 ++++++++
 CSP/src/CspReportingMiddleware.cs             |  50 ++++
 CSP/src/INonce.cs                             |  35 +++
 CSP/src/Microsoft.AspNetCore.Csp.csproj       |  21 ++
 CSP/src/NoncedScriptTagHelper.cs              |  26 ++
 .../ContentSecurityPolicyBuilderTest.cs       |  32 +++
 .../UnitTests/ContentSecurityPolicyTest.cs    | 140 ++++++++++
 CSP/test/UnitTests/CspMiddlewareTests.cs      | 154 +++++++++++
 CSP/test/UnitTests/CspReportLoggerTest.cs     | 245 ++++++++++++++++++
 .../Microsoft.AspNetCore.Csp.Test.csproj      |  18 ++
 CSP/test/UnitTests/TestUtils.cs               |  46 ++++
 .../CspMiddlewareWebSite.csproj               |  22 ++
 .../CspApplication/Pages/Error.cshtml         |  26 ++
 .../CspApplication/Pages/Error.cshtml.cs      |  31 +++
 .../CspApplication/Pages/Index.cshtml         |  26 ++
 .../CspApplication/Pages/Index.cshtml.cs      |  25 ++
 .../CspApplication/Pages/Privacy.cshtml       |   8 +
 .../CspApplication/Pages/Privacy.cshtml.cs    |  24 ++
 .../Pages/Shared/_Layout.cshtml               |  47 ++++
 .../Shared/_ValidationScriptsPartial.cshtml   |   2 +
 .../CspApplication/Pages/_ViewImports.cshtml  |   4 +
 .../CspApplication/Pages/_ViewStart.cshtml    |   3 +
 CSP/test/testassets/CspApplication/README.md  |   5 +
 CSP/test/testassets/CspApplication/Startup.cs |  63 +++++
 .../appsettings.Development.json              |   9 +
 .../CspApplication/appsettings.json           |  10 +
 .../CspApplication/wwwroot/css/site.css       |  71 +++++
 .../CspApplication/wwwroot/favicon.ico        | Bin 0 -> 32038 bytes
 .../CspApplication/wwwroot/js/example.js      |   1 +
 .../CspApplication/wwwroot/js/site.js         |   6 +
 38 files changed, 1665 insertions(+)
 create mode 100644 CSP/CSP.slnf
 create mode 100644 CSP/README.md
 create mode 100644 CSP/src/ContentSecurityPolicy.cs
 create mode 100644 CSP/src/ContentSecurityPolicyBuilder.cs
 create mode 100644 CSP/src/CspConstants.cs
 create mode 100644 CSP/src/CspMiddleware.cs
 create mode 100644 CSP/src/CspMiddlewareExtensions.cs
 create mode 100644 CSP/src/CspReport.cs
 create mode 100644 CSP/src/CspReportLogger.cs
 create mode 100644 CSP/src/CspReportingMiddleware.cs
 create mode 100644 CSP/src/INonce.cs
 create mode 100644 CSP/src/Microsoft.AspNetCore.Csp.csproj
 create mode 100644 CSP/src/NoncedScriptTagHelper.cs
 create mode 100644 CSP/test/UnitTests/ContentSecurityPolicyBuilderTest.cs
 create mode 100644 CSP/test/UnitTests/ContentSecurityPolicyTest.cs
 create mode 100644 CSP/test/UnitTests/CspMiddlewareTests.cs
 create mode 100644 CSP/test/UnitTests/CspReportLoggerTest.cs
 create mode 100644 CSP/test/UnitTests/Microsoft.AspNetCore.Csp.Test.csproj
 create mode 100644 CSP/test/UnitTests/TestUtils.cs
 create mode 100644 CSP/test/testassets/CspApplication/CspMiddlewareWebSite.csproj
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Error.cshtml
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Error.cshtml.cs
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Index.cshtml
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Index.cshtml.cs
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Privacy.cshtml
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Privacy.cshtml.cs
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Shared/_Layout.cshtml
 create mode 100644 CSP/test/testassets/CspApplication/Pages/Shared/_ValidationScriptsPartial.cshtml
 create mode 100644 CSP/test/testassets/CspApplication/Pages/_ViewImports.cshtml
 create mode 100644 CSP/test/testassets/CspApplication/Pages/_ViewStart.cshtml
 create mode 100644 CSP/test/testassets/CspApplication/README.md
 create mode 100644 CSP/test/testassets/CspApplication/Startup.cs
 create mode 100644 CSP/test/testassets/CspApplication/appsettings.Development.json
 create mode 100644 CSP/test/testassets/CspApplication/appsettings.json
 create mode 100644 CSP/test/testassets/CspApplication/wwwroot/css/site.css
 create mode 100644 CSP/test/testassets/CspApplication/wwwroot/favicon.ico
 create mode 100644 CSP/test/testassets/CspApplication/wwwroot/js/example.js
 create mode 100644 CSP/test/testassets/CspApplication/wwwroot/js/site.js

diff --git a/CSP/CSP.slnf b/CSP/CSP.slnf
new file mode 100644
index 000000000..d559cbaea
--- /dev/null
+++ b/CSP/CSP.slnf
@@ -0,0 +1,10 @@
+{
+  "solution": {
+    "path": "..\\..\\..\\AspNetCore.sln",
+    "projects": [
+      "src\\Middleware\\CSP\\src\\Microsoft.AspNetCore.Csp.csproj",
+      "src\\Middleware\\CSP\\test\\UnitTests\\Microsoft.AspNetCore.Csp.Test.csproj",
+      "src\\Middleware\\CSP\\test\\testassets\\CspMiddlewareWebSite.csproj",
+    ]
+  }
+}
\ No newline at end of file
diff --git a/CSP/README.md b/CSP/README.md
new file mode 100644
index 000000000..c2e7bbeef
--- /dev/null
+++ b/CSP/README.md
@@ -0,0 +1,38 @@
+# CSP
+
+## Description
+
+This directory contains .NET Core middleware for Content Security Policy (CSP). CSP is a very popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.
+
+Design document: [Implementing CSP Support in .NET Core](https://docs.google.com/document/d/13NPKn65Wf1PdIwNL7H0cxhwmp2r8ZTe6vizXzO2HqY4/edit#)
+There was a previous discussion about CSP in .NET [here](https://github.com/dotnet/aspnetcore/issues/6001), that we have considered for our design.
+
+## Contributions
+This directory includes the following changes:
+
+* Allow configuration of whether CSP enabled in reporting or enforcement modes.
+* Allows configuration of a report URI, for violation reports sent by the browser.
+* CSP middleware generates a nonce-based, strict-dynamic policy.
+* Middleware adds the policy to HTTP responses according to the configuration.
+* Custom <script> TagHelper to set nonce attribute on script blocks automatically.
+* Provides a default implementation of a CSP violation report collection endpoint.
+* Example app that uses our CSP middleware and corresponding basic unit tests.
+
+## Usage:
+
+```
+// CSP configuration. Must come first because other middleware might skip any following middleware.
+
+	app.UseCsp(policyBuilder =>
+policyBuilder.WithCspMode(CspMode.ENFORCING)
+	
+.WithReportingUri("/csp"));
+```
+You can find the sample app under `./test/testassets/CspApplication/` directory.
+
+# Point of contact
+* Barry Dorrans - barry.dorrans@microsoft.com
+
+## Authors
+* Co-authored-by: Aaron Shim - aaronshim@google.com
+* Co-authored-by: Santiago Diaz - salchoman@gmail.com
\ No newline at end of file
diff --git a/CSP/src/ContentSecurityPolicy.cs b/CSP/src/ContentSecurityPolicy.cs
new file mode 100644
index 000000000..3534b57a9
--- /dev/null
+++ b/CSP/src/ContentSecurityPolicy.cs
@@ -0,0 +1,72 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// A greedy Content Security Policy generator
+    /// </summary>
+    public class ContentSecurityPolicy
+    {
+        private readonly string _baseAndObject = "base-uri 'none'; object-src 'none'";
+        private readonly Func<INonce, string> policyBuilder;
+
+        private readonly CspMode _cspMode;
+        private readonly bool _strictDynamic;
+        private readonly bool _unsafeEval;
+        private readonly string _reportingUri;
+
+        /// <summary>
+        /// Instantiates a new <see cref="ContentSecurityPolicy"/>.
+        /// </summary>
+        /// <param name="cspMode">Represents whether the current policy is in enforcing or reporting mode.</param>
+        /// <param name="strictDynamic">Whether the policy should enable nonce propagation.</param>
+        /// <param name="unsafeEval">Whether JavaScript's eval should be allowed to run.</param>
+        /// <param name="reportingUri">An absolute or relative URI representing the reporting endpoint</param>
+        public ContentSecurityPolicy(
+            CspMode cspMode,
+            bool strictDynamic,
+            bool unsafeEval,
+            string reportingUri
+        )
+        {
+            _cspMode = cspMode;
+            _strictDynamic = strictDynamic;
+            _unsafeEval = unsafeEval;
+            _reportingUri = reportingUri;
+
+            // compute the static directives of the policy up front to avoid doing so on every request
+            var policyFormat = new StringBuilder()
+                .Append("script-src")
+                .Append(" 'nonce-{0}' ")  // nonce
+                .Append(_strictDynamic ? "'strict-dynamic'" : "")
+                .Append(_unsafeEval ? "'unsafe-eval'" : "")
+                .Append(" https: http:;")  // fall-back allowlist-based CSP for browsers that don't support nonces
+                .Append(_baseAndObject)
+                .Append("; ")               // end of script-src
+                .Append(_reportingUri != null ? "report-uri " + _reportingUri : "")
+                .ToString();
+
+            policyBuilder = nonce => string.Format(policyFormat, nonce.GetValue());
+        }
+
+        public string GetHeaderName()
+        {
+            return _cspMode == CspMode.REPORTING ? CspConstants.CspReportingHeaderName : CspConstants.CspEnforcedHeaderName;
+        }
+        public string GetPolicy(INonce nonce)
+        {
+            return policyBuilder.Invoke(nonce);
+        }
+    }
+
+    public enum CspMode
+    {
+        NONE,
+        REPORTING,
+        ENFORCING
+    }
+}
diff --git a/CSP/src/ContentSecurityPolicyBuilder.cs b/CSP/src/ContentSecurityPolicyBuilder.cs
new file mode 100644
index 000000000..1c574c394
--- /dev/null
+++ b/CSP/src/ContentSecurityPolicyBuilder.cs
@@ -0,0 +1,88 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// Allows customizing content security policies
+    /// </summary>
+    public class ContentSecurityPolicyBuilder
+    {
+        private CspMode _cspMode;
+        private bool _strictDynamic;
+        private bool _unsafeEval;
+        private string _reportingUri;
+        private LogLevel _logLevel = LogLevel.Information;
+
+        public ContentSecurityPolicyBuilder WithCspMode(CspMode cspMode)
+        {
+            _cspMode = cspMode;
+            return this;
+        }
+
+        public ContentSecurityPolicyBuilder WithStrictDynamic()
+        {
+            _strictDynamic = true;
+            return this;
+        }
+
+        public ContentSecurityPolicyBuilder WithUnsafeEval()
+        {
+            _unsafeEval = true;
+            return this;
+        }
+        public ContentSecurityPolicyBuilder WithReportingUri(string reportingUri)
+        {
+            // TODO: normalize URL
+            _reportingUri = reportingUri;
+            return this;
+        }
+
+        public ContentSecurityPolicyBuilder WithLogLevel(LogLevel logLevel)
+        {
+            _logLevel = logLevel;
+            return this;
+        }
+
+        /// <summary>
+        /// Whether the policy specifies a relative reporting URI.
+        /// </summary>
+        /// <remarks>
+        /// If this method returns true, a handler for the reporting endpoint will be automatically added to this application.
+        /// </remarks>
+        public bool HasLocalReporting()
+        {
+            return _reportingUri != null && _reportingUri.StartsWith("/");
+        }
+
+        public CspReportLogger ReportLogger(ICspReportLoggerFactory loggerFactory)
+        {
+            return loggerFactory.BuildLogger(_logLevel, _reportingUri);
+        }
+
+        public ContentSecurityPolicy Build()
+        {
+            if (_cspMode == CspMode.NONE)
+            {
+                // TODO: Error message
+                throw new InvalidOperationException();
+            }
+
+            if (_cspMode == CspMode.REPORTING && _reportingUri == null)
+            {
+                // TODO: Error message
+                throw new InvalidOperationException();
+            }
+
+            return new ContentSecurityPolicy(
+                _cspMode,
+                _strictDynamic,
+                _unsafeEval,
+                _reportingUri
+            );
+        }
+    }
+}
diff --git a/CSP/src/CspConstants.cs b/CSP/src/CspConstants.cs
new file mode 100644
index 000000000..4ec6fbc2a
--- /dev/null
+++ b/CSP/src/CspConstants.cs
@@ -0,0 +1,36 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// CSP-related constants.
+    /// </summary>
+    public static class CspConstants
+    {
+        /// <summary>
+        /// CSP header name in enforcement mode.
+        /// </summary>
+        public static readonly string CspEnforcedHeaderName = "Content-Security-Policy";
+        /// <summary>
+        /// CSP header name in reporting mode.
+        /// </summary>
+        public static readonly string CspReportingHeaderName = "Content-Security-Policy-Report-Only";
+        /// <summary>
+        /// Expected content type for requests containing CSP violation reports.
+        /// </summary>
+        public static readonly string CspReportContentType = "application/csp-report";
+        /// <summary>
+        /// Possible violated directive value used to create textual representations of violation reports.
+        /// </summary>
+        public static readonly string ScriptSrcElem = "script-src-elem";
+        /// <summary>
+        /// Possible blocked URI value used to create textual representations of violation reports.
+        /// </summary>
+        public static readonly string BlockedUriInline = "inline";
+        /// <summary>
+        /// Possible violated directive value used to create textual representations of violation reports.
+        /// </summary>
+        public static readonly string ScriptSrcAttr = "script-src-attr";
+    }
+}
diff --git a/CSP/src/CspMiddleware.cs b/CSP/src/CspMiddleware.cs
new file mode 100644
index 000000000..1305a034f
--- /dev/null
+++ b/CSP/src/CspMiddleware.cs
@@ -0,0 +1,34 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// Middleware for supporting CSP.
+    /// </summary>
+    public class CspMiddleware
+    {
+        private readonly RequestDelegate _next;
+        private readonly ContentSecurityPolicy _csp;
+
+        /// <summary>
+        /// Instantiates a new <see cref="CspMiddleware"/>.
+        /// </summary>
+        /// <param name="next">The next middleware in the pipeline.</param>
+        /// <param name="csp">A content security policy generator.</param>
+        public CspMiddleware(RequestDelegate next, ContentSecurityPolicy csp)
+        {
+            _next = next;
+            _csp = csp;
+        }
+
+        public Task Invoke(HttpContext context, INonce nonce)
+        {
+            context.Response.Headers[_csp.GetHeaderName()] = _csp.GetPolicy(nonce);
+            return _next(context);
+        }
+    }
+}
diff --git a/CSP/src/CspMiddlewareExtensions.cs b/CSP/src/CspMiddlewareExtensions.cs
new file mode 100644
index 000000000..eceb1c4bc
--- /dev/null
+++ b/CSP/src/CspMiddlewareExtensions.cs
@@ -0,0 +1,61 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// Extends <see cref="IApplicationBuilder"/> to add CSP middleware support.
+    /// </summary>
+    public static class CspMiddlewareExtensions
+    {
+        /// <summary>
+        /// Adds a CSP middleware to this web application pipeline that will add a custom policy to responses and collect CSP violation reports sent by user agents.
+        /// </summary>
+        /// <param name="app">The IApplicationBuilder passed to the Configure method</param>
+        /// <param name="configurePolicy">A delegate to build a custom content security policy</param>
+        /// <returns>The original app parameter</returns>
+        public static IApplicationBuilder UseCsp(this IApplicationBuilder app, Action<ContentSecurityPolicyBuilder> configurePolicy)
+        {
+            if (app == null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            var policyBuilder = new ContentSecurityPolicyBuilder();
+            configurePolicy(policyBuilder);
+
+            if (policyBuilder.HasLocalReporting())
+            {
+                var loggerFactory = app.ApplicationServices.GetService<ICspReportLoggerFactory>();
+                var reportLogger = policyBuilder.ReportLogger(loggerFactory);
+                app.UseWhen(
+                    context => context.Request.Path.StartsWithSegments(reportLogger.ReportUri),
+                    appBuilder => appBuilder.UseMiddleware<CspReportingMiddleware>(reportLogger));
+            }
+
+            return app.UseMiddleware<CspMiddleware>(policyBuilder.Build());
+        }
+
+        /// <summary>
+        /// Adds the necessary bindings for CSP. Namely, allows adding nonces to script tags automatically and provides a custom logging factory.
+        /// </summary>
+        /// <param name="app">The IApplicationBuilder passed to the Configure method</param>
+        /// <returns>The original services parameter</returns>
+        public static IServiceCollection AddCsp(this IServiceCollection services)
+        {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            services.AddScoped<INonce, Nonce>();
+            services.AddSingleton<ICspReportLoggerFactory, CspReportLoggerFactory>();
+
+            return services;
+        }
+    }
+}
diff --git a/CSP/src/CspReport.cs b/CSP/src/CspReport.cs
new file mode 100644
index 000000000..8cf93b7c9
--- /dev/null
+++ b/CSP/src/CspReport.cs
@@ -0,0 +1,65 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics.CodeAnalysis;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// An object representing a CSP violation report.
+    /// </summary>
+    public class CspReport
+    {
+        [JsonPropertyName("csp-report")]
+        public Report ReportData { get; set; }
+        public class Report
+        {
+            [JsonPropertyName("blocked-uri")]
+            public string BlockedUri { get; set; }
+            [JsonPropertyName("document-uri")]
+            public string DocumentUri { get; set; }
+            [JsonPropertyName("referrer")]
+            public string Referrer { get; set; }
+            [JsonPropertyName("violated-directive")]
+            public string ViolatedDirective { get; set; }
+            [JsonPropertyName("source-file")]
+            public string SourceFile { get; set; }
+            [JsonPropertyName("line-number")]
+            [JsonConverter(typeof(NumberToStringConverter))]
+            public string LineNumber { get; set; }
+
+            // Old browsers don't set the next two fields (e.g. Firefox v25/v26)
+            [JsonPropertyName("original-policy")]
+            public string OriginalPolicy { get; set; }
+            [JsonPropertyName("effective-directive")]
+            public string EffectiveDirective { get; set; }
+
+            // CSP3 only
+            [JsonPropertyName("script-sample")]
+            public string ScriptSample { get; set; }
+            [JsonPropertyName("disposition")]
+            public string Disposition { get; set; }
+        }
+    }
+
+    class NumberToStringConverter : JsonConverter<string>
+    {
+        public override string Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+        {
+            if (reader.TokenType == JsonTokenType.Number)
+            {
+                return reader.GetInt32().ToString();
+            }
+
+            return reader.GetString();
+        }
+
+        public override void Write(Utf8JsonWriter writer, string value, JsonSerializerOptions options)
+        {
+            writer.WriteStringValue(value);
+        }
+    }
+}
diff --git a/CSP/src/CspReportLogger.cs b/CSP/src/CspReportLogger.cs
new file mode 100644
index 000000000..5c6605b39
--- /dev/null
+++ b/CSP/src/CspReportLogger.cs
@@ -0,0 +1,111 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.IO;
+using System.Text.Json;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// CSP report logger factory used to provide custom report loggers that handle violation reports.
+    /// </summary>
+    public interface ICspReportLoggerFactory
+    {
+        CspReportLogger BuildLogger(LogLevel logLevel, string reportUri);
+    }
+
+    /// <summary>
+    /// Default CSP report logger factory implementation. Registers a CspReportLogger as the default handler.
+    /// </summary>
+    public class CspReportLoggerFactory : ICspReportLoggerFactory
+    {
+        private readonly ILogger<CspReportLogger> _logger;
+        public CspReportLoggerFactory(ILogger<CspReportLogger> logger)
+        {
+            _logger = logger;
+        }
+
+        public CspReportLogger BuildLogger(LogLevel logLevel, string reportUri)
+        {
+            return new CspReportLogger
+            {
+                LogLevel = logLevel,
+                ReportUri = reportUri,
+                Logger = _logger
+            };
+        }
+    }
+
+    /// <summary>
+    /// This CSP report logger marshals JSON violation reports asynchronously into objects that can be turned into textual descriptions of these reports, explaining their root cause.
+    /// This behavior is controlled by the log level set on the content security policy.
+    /// </summary>
+    public class CspReportLogger
+    {
+        private readonly JsonSerializerOptions _serializerOptions = new JsonSerializerOptions
+        {
+            PropertyNameCaseInsensitive = true,
+            ReadCommentHandling = JsonCommentHandling.Skip,
+            AllowTrailingCommas = true
+        };
+
+        public virtual async void Log(Stream jsonReport)
+        {
+            if (LogLevel.CompareTo(LogLevel.Information) >= 0)
+            {
+                try
+                {
+                    CspReport cspReport = await JsonSerializer.DeserializeAsync<CspReport>(jsonReport, _serializerOptions);
+                    if (cspReport.ReportData != null)
+                    {
+                        Logger.Log(LogLevel, TextualizeReport(cspReport));
+                    }
+                }
+                catch (JsonException)
+                {
+                }
+
+                return;
+            }
+
+            Logger.Log(LogLevel, new StreamReader(jsonReport).ReadToEnd());
+        }
+
+        private string TextualizeReport(CspReport report)
+        {
+            if (LogLevel.CompareTo(LogLevel.Information) >= 0)
+            {
+                if (CspConstants.BlockedUriInline.Equals(report.ReportData.BlockedUri))
+                {
+                    // javascript: URI not allowed
+                    if (CspConstants.ScriptSrcElem.Equals(report.ReportData.ViolatedDirective))
+                    {
+                        return string.Format("Attempt to navigate to javascript URI from {0} was refused by policy", report.ReportData.DocumentUri);
+                    }
+                    // inline event handler
+                    else if (CspConstants.ScriptSrcAttr.Equals(report.ReportData.ViolatedDirective))
+                    {
+                        return string.Format("Inline event handler at {0} (line number {1}) was refused by policy", report.ReportData.DocumentUri, report.ReportData.LineNumber);
+                    }
+                }
+                // script is missing or doesn't match nonce in the policy
+                else if (CspConstants.ScriptSrcElem.Equals(report.ReportData.ViolatedDirective))
+                {
+                    return string.Format(
+                        "Script at {0} (line {1}) trying to load {2} refused to run due to missing or mismatching nonce value",
+                        report.ReportData.DocumentUri,
+                        report.ReportData.LineNumber,
+                        report.ReportData.BlockedUri
+                    );
+                }
+            }
+
+            return report.ToString();
+        }
+
+        public LogLevel LogLevel { get; internal set; }
+        public string ReportUri { get; internal set; }
+        public ILogger<CspReportLogger> Logger { get; internal set; }
+    }
+}
diff --git a/CSP/src/CspReportingMiddleware.cs b/CSP/src/CspReportingMiddleware.cs
new file mode 100644
index 000000000..f24342042
--- /dev/null
+++ b/CSP/src/CspReportingMiddleware.cs
@@ -0,0 +1,50 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Net;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// CSP middleware used to collect violation reports sent by user agents. Enabled automatically when a relative reporting URI is set on the CSP policy.
+    /// </summary>
+    public class CspReportingMiddleware
+    {
+        private readonly CspReportLogger _cspReportLogger;
+
+        /// <summary>
+        /// Instantiates a new <see cref="CspReportingMiddleware"/>.
+        /// </summary>
+        /// <param name="next">The next middleware in the pipeline.</param>
+        /// <param name="reportLogger">A custom logger that allows extending this middleware's logging capabilities.</param>
+        public CspReportingMiddleware(RequestDelegate next, CspReportLogger reportLogger)
+        {
+            _cspReportLogger = reportLogger;
+        }
+
+        private bool IsReportRequest(HttpRequest request)
+        {
+            return request.Path.StartsWithSegments(_cspReportLogger.ReportUri)
+                && request.Method == HttpMethods.Post
+                && request.ContentType?.StartsWith(CspConstants.CspReportContentType) == true
+                && request.ContentLength != 0;
+        }
+
+
+        /// <summary>
+        /// Handle incoming violation reports. Returns a 204 response regardless of whether the report is valid.
+        /// </summary>
+        public Task Invoke(HttpContext context)
+        {
+            if (IsReportRequest(context.Request))
+            {
+                _cspReportLogger.Log(context.Request.Body);
+            }
+
+            context.Response.StatusCode = (int)HttpStatusCode.NoContent;
+            return Task.FromResult(0);
+        }
+    }
+}
diff --git a/CSP/src/INonce.cs b/CSP/src/INonce.cs
new file mode 100644
index 000000000..ca0c640d3
--- /dev/null
+++ b/CSP/src/INonce.cs
@@ -0,0 +1,35 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+using System;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// Simple interface representing a CSP nonce value.
+    /// </summary>
+    public interface INonce
+    {
+        string GetValue();
+    }
+
+    /// <summary>
+    /// Default nonce implementation. Computes a random nonce and returns its base64 value on instantiation.
+    /// </summary>
+    public class Nonce : INonce
+    {
+        private readonly string _value;
+        private static readonly Lazy<Random> _gen = new Lazy<Random>(() => new Random());
+
+        public Nonce()
+        {
+            byte[] bytes = new byte[7];
+            _gen.Value.NextBytes(bytes);
+            _value = Convert.ToBase64String(bytes);
+        }
+
+        public string GetValue()
+        {
+            return _value;
+        }
+    }
+}
diff --git a/CSP/src/Microsoft.AspNetCore.Csp.csproj b/CSP/src/Microsoft.AspNetCore.Csp.csproj
new file mode 100644
index 000000000..6f7a0a4a0
--- /dev/null
+++ b/CSP/src/Microsoft.AspNetCore.Csp.csproj
@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <Description>
+      CSP middleware and policy for ASP.NET Core to enable Content Security Policy.
+    </Description>
+    <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
+    <IsAspNetCoreApp>true</IsAspNetCoreApp>
+    <PackageTags>aspnetcore;csp</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.Http.Extensions" />
+    <Reference Include="Microsoft.AspNetCore.Mvc.TagHelpers" />
+    <Reference Include="Microsoft.Extensions.Configuration.Abstractions" />
+    <Reference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <Reference Include="Microsoft.Extensions.Logging.Abstractions" />
+    <Reference Include="Microsoft.Extensions.Options" />
+  </ItemGroup>
+
+</Project>
diff --git a/CSP/src/NoncedScriptTagHelper.cs b/CSP/src/NoncedScriptTagHelper.cs
new file mode 100644
index 000000000..bb2c5d064
--- /dev/null
+++ b/CSP/src/NoncedScriptTagHelper.cs
@@ -0,0 +1,26 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+using Microsoft.AspNetCore.Razor.TagHelpers;
+
+namespace Microsoft.AspNetCore.Csp
+{
+    /// <summary>
+    /// Tag helper used to automatically a nonce attribute to existing script tags. This is required to support nonce-based content security policies.
+    /// </summary>
+    [HtmlTargetElement("script")]
+    public class NoncedScriptTagHelper : TagHelper
+    {
+        private readonly INonce _nonce;
+
+        public NoncedScriptTagHelper(INonce nonce)
+        {
+            _nonce = nonce;
+        }
+
+        public override void Process(TagHelperContext context, TagHelperOutput output)
+        {
+            output.TagName = "script";
+            output.Attributes.SetAttribute("nonce", _nonce.GetValue());
+        }
+    }
+}
diff --git a/CSP/test/UnitTests/ContentSecurityPolicyBuilderTest.cs b/CSP/test/UnitTests/ContentSecurityPolicyBuilderTest.cs
new file mode 100644
index 000000000..ab04dea23
--- /dev/null
+++ b/CSP/test/UnitTests/ContentSecurityPolicyBuilderTest.cs
@@ -0,0 +1,32 @@
+
+
+using System;
+using Microsoft.Extensions.Logging;
+using Xunit;
+
+namespace Microsoft.AspNetCore.Csp.Test
+{
+    public class ContentSecurityPolicyBuilderTest
+    {
+        [Fact]
+        public void IfCspModeNotSet_thenExceptionThrown()
+        {
+            Assert.Throws<InvalidOperationException>(
+                () => new ContentSecurityPolicyBuilder()
+                .Build()
+            );
+        }
+
+        // TODO: Add logging configuration test
+
+        [Fact]
+        public void WhenModeSetToReporting_IfNoReportingUriSet_thenExceptionThrown()
+        {
+            Assert.Throws<InvalidOperationException>(
+                () => new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.REPORTING)
+                .Build()
+            );
+        }
+    }
+}
diff --git a/CSP/test/UnitTests/ContentSecurityPolicyTest.cs b/CSP/test/UnitTests/ContentSecurityPolicyTest.cs
new file mode 100644
index 000000000..59a0f6a56
--- /dev/null
+++ b/CSP/test/UnitTests/ContentSecurityPolicyTest.cs
@@ -0,0 +1,140 @@
+using Xunit;
+
+namespace Microsoft.AspNetCore.Csp.Test
+{
+    public class ContentSecurityPolicyTest
+    {
+        /// <summary>
+        ///  Mocking a INonce for generating policies with a testable, fixed nonce.
+        /// </summary>
+        private class TestNonce : INonce
+        {
+            private readonly string _val;
+
+            public TestNonce(string value)
+            {
+                _val = value;
+            }
+
+            public string GetValue()
+            {
+                return _val;
+            }
+        }
+
+        [Fact]
+        public void SetsCorrectHeaderNameInReportingMode()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.REPORTING)
+                .WithReportingUri("/csp")
+                .Build();
+
+            Assert.Equal(CspConstants.CspReportingHeaderName, policy.GetHeaderName());
+        }
+
+        [Fact]
+        public void SetsCorrectHeaderNameInEnforcementMode()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .Build();
+
+            Assert.Equal(CspConstants.CspEnforcedHeaderName, policy.GetHeaderName());
+        }
+
+        [Fact]
+        public void WhenStrictDynamicNotSet_BuildsPolicyCorrectly()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .Build();
+
+            Assert.DoesNotContain("strict-dynamic", policy.GetPolicy(new InertNonce()));
+        }
+
+        [Fact]
+        public void WhenStrictDynamicSet_BuildsPolicyCorrectly()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .WithStrictDynamic()
+                .Build();
+
+            Assert.Contains("strict-dynamic", policy.GetPolicy(new InertNonce()));
+        }
+
+        [Fact]
+        public void WhenUnsafeEvalNotSet_BuildsPolicyCorrectly()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .Build();
+
+            Assert.DoesNotContain("unsafe-eval", policy.GetPolicy(new InertNonce()));
+        }
+
+        [Fact]
+        public void WhenUnsafeEvalSet_BuildsPolicyCorrectly()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .WithUnsafeEval()
+                .Build();
+
+            Assert.Contains("unsafe-eval", policy.GetPolicy(new InertNonce()));
+        }
+
+        // TODO: Add more coverage around reporting URLs
+        [Fact]
+        public void WhenReportingUriSet_BuildsPolicyCorrectly()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .WithReportingUri("/cspreport")
+                .Build();
+
+            Assert.Contains("report-uri /cspreport", policy.GetPolicy(new InertNonce()));
+        }
+
+        [Fact]
+        public void AlwaysRestrictsBaseUriAndObjectSrcToNone()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .Build();
+
+            Assert.Contains("base-uri 'none'; object-src 'none';", policy.GetPolicy(new InertNonce()));
+        }
+
+        [Fact]
+        public void AlwaysSetsFallbackHttpAndHttpsProtocolsInScriptSrc()
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .Build();
+
+            Assert.Matches("script-src .* https: http:", policy.GetPolicy(new InertNonce()));
+        }
+
+        [Theory]
+        [InlineData("ABCDE")]
+        [InlineData("1234567890")]
+        public void SetNonceIfProvided(string nonce)
+        {
+            var policy = new ContentSecurityPolicyBuilder()
+                .WithCspMode(CspMode.ENFORCING)
+                .Build();
+
+            Assert.Matches(string.Format("'nonce-{0}", nonce), policy.GetPolicy(new TestNonce(nonce)));
+        }
+    }
+
+    public class InertNonce : INonce
+    {
+        public string GetValue()
+        {
+            return "inert";
+        }
+    }
+}
diff --git a/CSP/test/UnitTests/CspMiddlewareTests.cs b/CSP/test/UnitTests/CspMiddlewareTests.cs
new file mode 100644
index 000000000..d225d5cee
--- /dev/null
+++ b/CSP/test/UnitTests/CspMiddlewareTests.cs
@@ -0,0 +1,154 @@
+using Xunit;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Http;
+using System.Linq;
+using Microsoft.Extensions.Logging;
+using Microsoft.Net.Http.Headers;
+using System.IO;
+using System.Text;
+using Moq;
+
+namespace Microsoft.AspNetCore.Csp.Test
+{
+    public class CspMiddlewareTests
+    {
+        [Theory]
+        [InlineData("/")]
+        [InlineData("/cheese")]
+        [InlineData("/foo")]
+        public async Task CspHeaderIsSetOnAllResponses(string requestPath)
+        {
+            // Arrange
+            var hostBuilder = new WebHostBuilder()
+                .ConfigureServices(services => services.AddCsp())
+                .Configure(app =>
+                {
+                    app.UseCsp(policyBuilder =>
+                    {
+                        policyBuilder
+                            .WithCspMode(CspMode.ENFORCING);
+                    });
+                    app.Run(async context =>
+                    {
+                        await context.Response.WriteAsync("Test response");
+                    });
+                });
+
+            using (var server = new TestServer(hostBuilder))
+            {
+                // Act
+                var response = await server.CreateRequest(requestPath)
+                    .SendAsync("GET");
+
+                // Assert
+                response.EnsureSuccessStatusCode();
+                Assert.Single(response.Headers);
+                Assert.NotEmpty(response.Headers.GetValues(CspConstants.CspEnforcedHeaderName).FirstOrDefault());
+                Assert.Equal("Test response", await response.Content.ReadAsStringAsync());
+            }
+        }
+
+        [Theory]
+        [InlineData("/")]
+        public async Task CspNonceExistsInHeader(string requestPath)
+        {
+            // Arrange
+            var hostBuilder = new WebHostBuilder()
+                .ConfigureServices(services => services.AddCsp())
+                .Configure(app =>
+                {
+                    app.UseCsp(policyBuilder =>
+                    {
+                        policyBuilder
+                            .WithCspMode(CspMode.ENFORCING);
+                    });
+                    app.Run(async context =>
+                    {
+                        await context.Response.WriteAsync("Test response");
+                    });
+                });
+
+            using (var server = new TestServer(hostBuilder))
+            {
+                // Act
+                var response = await server.CreateRequest(requestPath)
+                    .SendAsync("GET");
+
+                // Assert
+                response.EnsureSuccessStatusCode();
+                Assert.Equal("Test response", await response.Content.ReadAsStringAsync());
+
+                Assert.Single(response.Headers);
+                var header = response.Headers.GetValues(CspConstants.CspEnforcedHeaderName).FirstOrDefault();
+                Assert.NotEmpty(header);
+                Assert.Matches("'nonce-", header);
+            }
+        }
+
+        [Fact]
+        public async void DoesNotCollectReportsIfReportingUriIsNotRelative()
+        {
+            // Arrange
+            var hostBuilder = new WebHostBuilder()
+                .ConfigureServices(services => services.AddCsp())
+                .Configure(app =>
+                {
+                    app.UseCsp(policyBuilder =>
+                    {
+                        policyBuilder
+                            .WithCspMode(CspMode.ENFORCING)
+                            .WithReportingUri("https://cheese.com/cspreport");
+                    });
+                    app.Run(async context =>
+                    {
+                        await context.Response.WriteAsync("Test response");
+                    });
+                })
+                .ConfigureServices(services => services.AddCsp());
+
+            using (var server = new TestServer(hostBuilder))
+            {
+                // Act
+                var context = await server.SendAsync(c =>
+                {
+                    c.Request.Method = "POST";
+                    c.Request.Path = "/cspreport";
+                    c.Request.Headers[HeaderNames.ContentType] = CspConstants.CspReportContentType;
+                    c.Request.Body = new MemoryStream(Encoding.ASCII.GetBytes(
+                        @"{
+                          ""csp-report"": {
+                            ""document-uri"": ""http://example.com/signup.html"",
+                            ""referrer"": ""http://evil.com"",
+                            ""blocked-uri"": ""http://example.com/css/style.css"",
+                            ""violated-directive"": ""style-src cdn.example.com"",
+                            ""original-policy"": ""default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"",
+                            ""disposition"": ""report""
+                          }
+                        }"
+                    ));
+                });
+
+                // Assert
+                Assert.NotEqual(204, context.Response.StatusCode);
+                Assert.NotEmpty(new StreamReader(context.Response.Body, Encoding.UTF8).ReadToEnd());
+            }
+        }
+    }
+
+    public class FakeReportLoggerFactory : ICspReportLoggerFactory
+    {
+        readonly CspReportLogger logger;
+        public FakeReportLoggerFactory(CspReportLogger logger)
+        {
+            this.logger = logger;
+        }
+        public CspReportLogger BuildLogger(LogLevel logLevel, string reportUri)
+        {
+            return logger;
+        }
+    }
+}
diff --git a/CSP/test/UnitTests/CspReportLoggerTest.cs b/CSP/test/UnitTests/CspReportLoggerTest.cs
new file mode 100644
index 000000000..75b36fab8
--- /dev/null
+++ b/CSP/test/UnitTests/CspReportLoggerTest.cs
@@ -0,0 +1,245 @@
+using System;
+using System.Collections;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Text.RegularExpressions;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Net.Http.Headers;
+using Moq;
+using Xunit;
+using static Microsoft.AspNetCore.Csp.Test.TestUtils;
+
+namespace Microsoft.AspNetCore.Csp.Test
+{
+    public class CspReportLoggerTest
+    {
+        [Theory]
+        [InlineData("GET", "foo")]
+        [InlineData("GET", "application/csp-report")]
+        [InlineData("POST", "foo")]
+        [InlineData("POST", "application/csp-report")]
+        [InlineData("PUT", "foo")]
+        [InlineData("PUT", "application/csp-report")]
+        [InlineData("HEAD", "foo")]
+        [InlineData("HEAD", "application/csp-report")]
+        public async void ProcessesMalformedReportRequestsCorrectly(string method, string contentType)
+        {
+            // Arrange
+            var testLogger = new CspTestLogger();
+            var hostBuilder = new WebHostBuilder()
+                .Configure(app =>
+                {
+                    app.UseCsp(policyBuilder =>
+                    {
+                        policyBuilder
+                            .WithCspMode(CspMode.ENFORCING)
+                            .WithReportingUri("/cspreport");
+                    });
+                    app.Run(async context =>
+                    {
+                        await context.Response.WriteAsync("Test response");
+                    });
+                })
+                .ConfigureServices(services => {
+                    services.AddCsp();
+                });
+
+            using (var server = new TestServer(hostBuilder))
+            {
+                // Act
+                var context = await server.SendAsync(c =>
+                {
+                    c.Request.Method = method;
+                    c.Request.Path = "/cspreport";
+                    c.Request.Headers[HeaderNames.ContentType] = contentType;
+                    c.Request.Body = new MemoryStream(Encoding.ASCII.GetBytes("malformed"));
+                });
+
+                // Assert
+                Assert.Equal(204, context.Response.StatusCode);
+                Assert.Empty(new StreamReader(context.Response.Body).ReadToEnd());
+                testLogger.NoLogStatementsMade();
+            }
+        }
+
+        [Fact]
+        public async void ProcessesCspReportRequestsCorrectly()
+        {
+            // Arrange
+            var mockLogger = new Mock<CspReportLogger>();
+            var loggerFactory = new FakeReportLoggerFactory(mockLogger.Object);
+
+            var hostBuilder = new WebHostBuilder()
+                .Configure(app =>
+                {
+                    app.UseCsp(policyBuilder =>
+                    {
+                        policyBuilder
+                            .WithCspMode(CspMode.ENFORCING)
+                            .WithLogLevel(LogLevel.Trace)
+                            .WithReportingUri("/cspreport");
+                    });
+                    app.Run(async context =>
+                    {
+                        await context.Response.WriteAsync("Test response");
+                    });
+                })
+                .ConfigureServices(services => {
+                    services.AddCsp();
+                    services.AddSingleton<ICspReportLoggerFactory>(loggerFactory);
+                });
+
+            using (var server = new TestServer(hostBuilder))
+            {
+                // Act
+                var context = await server.SendAsync(c =>
+                {
+                    c.Request.Method = "POST";
+                    c.Request.Path = "/cspreport";
+                    c.Request.Headers[HeaderNames.ContentType] = CspConstants.CspReportContentType;
+                    c.Request.Body = new MemoryStream(Encoding.ASCII.GetBytes(
+                        @"{
+                          ""csp-report"": {
+                            ""document-uri"": ""http://example.com/signup.html"",
+                            ""referrer"": ""http://evil.com"",
+                            ""blocked-uri"": ""http://example.com/css/style.css"",
+                            ""violated-directive"": ""style-src cdn.example.com"",
+                            ""original-policy"": ""default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"",
+                            ""disposition"": ""report""
+                          }
+                        }"
+                    ));
+                });
+
+                // Assert
+                Assert.Equal(204, context.Response.StatusCode);
+                Assert.Empty(new StreamReader(context.Response.Body).ReadToEnd());
+                mockLogger.Verify(m => m.Log(It.IsNotNull<Stream>()));
+            }
+        }
+
+        [Theory]
+        [ClassData(typeof(ReportLoggerTestData))]
+        public void LogsTextualRepresentationOfReportWhenLoggingLevelAboveOrEqualToInformation(string expectedDescription, string jsonReport, LogLevel logLevel)
+        {
+            // Arrange
+            var testLogger = new CspTestLogger();
+            var factory = new CspReportLoggerFactory(testLogger);
+            var logger = factory.BuildLogger(logLevel, "reportUri");
+
+            // Act
+            logger.Log(new MemoryStream(Encoding.ASCII.GetBytes(jsonReport)));
+
+            // Assert
+            testLogger.SingleLogStatementMatching(logLevel, expectedDescription);
+        }
+
+
+        [Theory]
+        [InlineData(LogLevel.Debug)]
+        [InlineData(LogLevel.Trace)]
+        public void LogsFullRepresentationOfReportWhenLoggingLevelBelowOrEqualToDebug(LogLevel logLevel)
+        {
+            // Arrange
+            var testLogger = new CspTestLogger();
+            var factory = new CspReportLoggerFactory(testLogger);
+            var logger = factory.BuildLogger(logLevel, "reportUri");
+            var jsonReport = @"{
+                ""csp-report"": {
+                    ""document-uri"": ""http://documenturi"",
+                    ""referrer"": ""http://referrer"",
+                    ""blocked-uri"": ""http://cdn/script.js"",
+                    ""source-file"": ""source.js"",
+                    ""line-number"": ""123"",
+                    ""violated-directive"": ""script-src-elem"",
+                    ""original-policy"": ""script-src 'nonce-abc' http: https:; report-uri /_/csp-reports"",
+                    ""disposition"": ""report""
+                }
+            }";
+
+            // Act
+            logger.Log(new MemoryStream(Encoding.ASCII.GetBytes(jsonReport)));
+
+            // Assert
+            testLogger.SingleLogStatementMatching(logLevel, jsonReport);
+        }
+    }
+
+    class ReportLoggerTestData : IEnumerable<object[]>
+    {
+        List<LogLevel> logLevels = new List<LogLevel>
+        {
+            LogLevel.Information,
+            LogLevel.Warning,
+            LogLevel.Error,
+            LogLevel.Critical
+        };
+
+        List<string> reports = new List<string>
+        {
+            // script block missing nonce
+            @"{
+                ""csp-report"": {
+                    ""document-uri"": ""http://documenturi"",
+                    ""referrer"": ""http://referrer"",
+                    ""blocked-uri"": ""http://cdn/script.js"",
+                    ""source-file"": ""source.js"",
+                    ""line-number"": ""123"",
+                    ""violated-directive"": ""script-src-elem"",
+                    ""original-policy"": ""script-src 'nonce-abc' http: https:; report-uri /_/csp-reports"",
+                    ""disposition"": ""report""
+                }
+            }",
+            // javascript: URI sample
+            @"{
+                ""csp-report"": {
+                    ""document-uri"": ""http://documenturi"",
+                    ""referrer"": ""http://referrer"",
+                    ""blocked-uri"": ""inline"",
+                    ""violated-directive"": ""script-src-elem"",
+                    ""original-policy"": ""script-src 'nonce-abc' http: https:; report-uri /_/csp-reports"",
+                    ""disposition"": ""report""
+                }
+            }",
+            // inline javascript (event handler)
+            @"{
+                ""csp-report"": {
+                    ""document-uri"": ""http://documenturi"",
+                    ""referrer"": ""http://referrer"",
+                    ""blocked-uri"": ""inline"",
+                    ""line-number"": ""123"",
+                    ""violated-directive"": ""script-src-attr"",
+                    ""script-sample"": ""const a = 1"",
+                    ""original-policy"": ""script-src 'nonce-abc' http: https:; report-uri /_/csp-reports"",
+                    ""disposition"": ""report""
+                }
+            }",
+        };
+
+        List<string> expectedDescriptions = new List<string>
+        {
+            "Script at http://documenturi (line 123) trying to load http://cdn/script.js refused to run due to missing or mismatching nonce value",
+            "Attempt to navigate to javascript URI from http://documenturi was refused by policy",
+            "Inline event handler at http://documenturi (line number 123) was refused by policy"
+        };
+        public IEnumerator<object[]> GetEnumerator()
+        {
+            return expectedDescriptions
+                // match reports and expected descriptions
+                .Zip(reports, (d, r) => new { d, r })
+                // find all combinations of the previous with each log level
+                .SelectMany(reportAndDesc => logLevels.Select(l => new object[] { reportAndDesc.d, reportAndDesc.r, l }))
+                .GetEnumerator();
+        }
+
+        IEnumerator IEnumerable.GetEnumerator() => GetEnumerator();
+    }
+}
diff --git a/CSP/test/UnitTests/Microsoft.AspNetCore.Csp.Test.csproj b/CSP/test/UnitTests/Microsoft.AspNetCore.Csp.Test.csproj
new file mode 100644
index 000000000..5355fd810
--- /dev/null
+++ b/CSP/test/UnitTests/Microsoft.AspNetCore.Csp.Test.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
+    <PreserveCompilationContext>true</PreserveCompilationContext>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\testassets\CspApplication\CspMiddlewareWebSite.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.Csp" />
+    <Reference Include="Microsoft.AspNetCore.TestHost" />
+    <Reference Include="Microsoft.AspNetCore.Mvc" />
+    <Reference Include="Microsoft.AspNetCore.Mvc.Testing" />
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/CSP/test/UnitTests/TestUtils.cs b/CSP/test/UnitTests/TestUtils.cs
new file mode 100644
index 000000000..570faa4db
--- /dev/null
+++ b/CSP/test/UnitTests/TestUtils.cs
@@ -0,0 +1,46 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Xunit;
+
+namespace Microsoft.AspNetCore.Csp.Test
+{
+    public class TestUtils
+    {
+        public class CspTestLogger : ILogger<CspReportLogger>
+        {
+            public Dictionary<LogLevel, string> actualLogCalls = new Dictionary<LogLevel, string>();
+            public IDisposable BeginScope<TState>(TState state)
+            {
+                throw new NotImplementedException();
+            }
+
+            public bool IsEnabled(LogLevel logLevel)
+            {
+                throw new NotImplementedException();
+            }
+
+            public void Log<TState>(LogLevel logLevel, EventId eventId, TState state, Exception exception, Func<TState, Exception, string> formatter)
+            {
+                actualLogCalls.Add(logLevel, formatter.Invoke(state, exception));
+            }
+
+            public void SingleLogStatementMatching(LogLevel logLevel, string expected)
+            {
+                Assert.Single(actualLogCalls);
+
+                string actualMessage;
+                actualLogCalls.TryGetValue(logLevel, out actualMessage);
+                Assert.Equal(expected, actualMessage);
+            }
+
+            public void NoLogStatementsMade()
+            {
+                Assert.Empty(actualLogCalls);
+            }
+        }
+    }
+}
diff --git a/CSP/test/testassets/CspApplication/CspMiddlewareWebSite.csproj b/CSP/test/testassets/CspApplication/CspMiddlewareWebSite.csproj
new file mode 100644
index 000000000..de383e262
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/CspMiddlewareWebSite.csproj
@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
+    <PreserveCompilationContext>true</PreserveCompilationContext>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.CSP" />
+    <Reference Include="Microsoft.AspNetCore.Hosting" />
+    <Reference Include="Microsoft.AspNetCore.Mvc" />
+    <Reference Include="Microsoft.AspNetCore.Diagnostics" />
+    <Reference Include="Microsoft.AspNetCore.StaticFiles" />
+    <Reference Include="Microsoft.Extensions.Hosting" />
+    <Reference Include="Microsoft.Extensions.Hosting.Abstractions" />
+    <Reference Include="Microsoft.Extensions.Configuration" />
+    <Reference Include="Microsoft.Extensions.DependencyInjection" />
+    <Reference Include="Microsoft.AspNetCore.Server.IISIntegration" />
+    <Reference Include="Microsoft.AspNetCore.Server.Kestrel" />
+  </ItemGroup>
+
+</Project>
diff --git a/CSP/test/testassets/CspApplication/Pages/Error.cshtml b/CSP/test/testassets/CspApplication/Pages/Error.cshtml
new file mode 100644
index 000000000..6f92b9565
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Error.cshtml
@@ -0,0 +1,26 @@
+@page
+@model ErrorModel
+@{
+    ViewData["Title"] = "Error";
+}
+
+<h1 class="text-danger">Error.</h1>
+<h2 class="text-danger">An error occurred while processing your request.</h2>
+
+@if (Model.ShowRequestId)
+{
+    <p>
+        <strong>Request ID:</strong> <code>@Model.RequestId</code>
+    </p>
+}
+
+<h3>Development Mode</h3>
+<p>
+    Swapping to the <strong>Development</strong> environment displays detailed information about the error that occurred.
+</p>
+<p>
+    <strong>The Development environment shouldn't be enabled for deployed applications.</strong>
+    It can result in displaying sensitive information from exceptions to end users.
+    For local debugging, enable the <strong>Development</strong> environment by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>
+    and restarting the app.
+</p>
diff --git a/CSP/test/testassets/CspApplication/Pages/Error.cshtml.cs b/CSP/test/testassets/CspApplication/Pages/Error.cshtml.cs
new file mode 100644
index 000000000..aaa2c0635
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Error.cshtml.cs
@@ -0,0 +1,31 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.Extensions.Logging;
+
+namespace CspApplication.Pages
+{
+    [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
+    public class ErrorModel : PageModel
+    {
+        public string RequestId { get; set; }
+
+        public bool ShowRequestId => !string.IsNullOrEmpty(RequestId);
+
+        private readonly ILogger<ErrorModel> _logger;
+
+        public ErrorModel(ILogger<ErrorModel> logger)
+        {
+            _logger = logger;
+        }
+
+        public void OnGet()
+        {
+            RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier;
+        }
+    }
+}
diff --git a/CSP/test/testassets/CspApplication/Pages/Index.cshtml b/CSP/test/testassets/CspApplication/Pages/Index.cshtml
new file mode 100644
index 000000000..9f1024ee1
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Index.cshtml
@@ -0,0 +1,26 @@
+@page
+@model IndexModel
+@{
+    ViewData["Title"] = "Home page";
+}
+
+<!-- Try loading JS in a couple of different ways. -->
+<script src="~/js/example.js" asp-append-version="true"></script>
+<script>
+    document.addEventListener('DOMContentLoaded', e => {
+        let counter = 0;
+        document.getElementById('js-button').addEventListener('click', e1 => {
+            let item = document.createElement('li');
+            item.appendChild(document.createTextNode('Clicked ' + counter + ' times!'));
+            document.getElementById('js-controlled-list').appendChild(item);
+            counter += 1;
+        })
+    });
+</script>
+
+<div class="text-center">
+    <h1 class="display-4">Welcome</h1>
+    <p>Learn about <a href="https://docs.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
+    <button id="js-button">Click me!</button>
+    <ul id="js-controlled-list"></ul>
+</div>
diff --git a/CSP/test/testassets/CspApplication/Pages/Index.cshtml.cs b/CSP/test/testassets/CspApplication/Pages/Index.cshtml.cs
new file mode 100644
index 000000000..84d2a7b87
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Index.cshtml.cs
@@ -0,0 +1,25 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.Extensions.Logging;
+
+namespace CspApplication.Pages
+{
+    public class IndexModel : PageModel
+    {
+        private readonly ILogger<IndexModel> _logger;
+
+        public IndexModel(ILogger<IndexModel> logger)
+        {
+            _logger = logger;
+        }
+
+        public void OnGet()
+        {
+
+        }
+    }
+}
diff --git a/CSP/test/testassets/CspApplication/Pages/Privacy.cshtml b/CSP/test/testassets/CspApplication/Pages/Privacy.cshtml
new file mode 100644
index 000000000..46ba96612
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Privacy.cshtml
@@ -0,0 +1,8 @@
+@page
+@model PrivacyModel
+@{
+    ViewData["Title"] = "Privacy Policy";
+}
+<h1>@ViewData["Title"]</h1>
+
+<p>Use this page to detail your site's privacy policy.</p>
diff --git a/CSP/test/testassets/CspApplication/Pages/Privacy.cshtml.cs b/CSP/test/testassets/CspApplication/Pages/Privacy.cshtml.cs
new file mode 100644
index 000000000..567303dae
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Privacy.cshtml.cs
@@ -0,0 +1,24 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.Extensions.Logging;
+
+namespace CspApplication.Pages
+{
+    public class PrivacyModel : PageModel
+    {
+        private readonly ILogger<PrivacyModel> _logger;
+
+        public PrivacyModel(ILogger<PrivacyModel> logger)
+        {
+            _logger = logger;
+        }
+
+        public void OnGet()
+        {
+        }
+    }
+}
diff --git a/CSP/test/testassets/CspApplication/Pages/Shared/_Layout.cshtml b/CSP/test/testassets/CspApplication/Pages/Shared/_Layout.cshtml
new file mode 100644
index 000000000..0f584c3ce
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Shared/_Layout.cshtml
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>@ViewData["Title"] - CspApplication</title>
+    <link rel="stylesheet" href="~/css/site.css" />
+</head>
+<body>
+    <header>
+        <nav class="navbar navbar-expand-sm navbar-toggleable-sm navbar-light bg-white border-bottom box-shadow mb-3">
+            <div class="container">
+                <a class="navbar-brand" asp-area="" asp-page="/Index">CspApplication</a>
+                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target=".navbar-collapse" aria-controls="navbarSupportedContent"
+                        aria-expanded="false" aria-label="Toggle navigation">
+                    <span class="navbar-toggler-icon"></span>
+                </button>
+                <div class="navbar-collapse collapse d-sm-inline-flex flex-sm-row-reverse">
+                    <ul class="navbar-nav flex-grow-1">
+                        <li class="nav-item">
+                            <a class="nav-link text-dark" asp-area="" asp-page="/Index">Home</a>
+                        </li>
+                        <li class="nav-item">
+                            <a class="nav-link text-dark" asp-area="" asp-page="/Privacy">Privacy</a>
+                        </li>
+                    </ul>
+                </div>
+            </div>
+        </nav>
+    </header>
+    <div class="container">
+        <main role="main" class="pb-3">
+            @RenderBody()
+        </main>
+    </div>
+
+    <footer class="border-top footer text-muted">
+        <div class="container">
+            &copy; 2020 - CspApplication - <a asp-area="" asp-page="/Privacy">Privacy</a>
+        </div>
+    </footer>
+
+    <script src="~/js/site.js" asp-append-version="true"></script>
+
+    @RenderSection("Scripts", required: false)
+</body>
+</html>
diff --git a/CSP/test/testassets/CspApplication/Pages/Shared/_ValidationScriptsPartial.cshtml b/CSP/test/testassets/CspApplication/Pages/Shared/_ValidationScriptsPartial.cshtml
new file mode 100644
index 000000000..5a16d80a9
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/Shared/_ValidationScriptsPartial.cshtml
@@ -0,0 +1,2 @@
+<script src="~/lib/jquery-validation/dist/jquery.validate.min.js"></script>
+<script src="~/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js"></script>
diff --git a/CSP/test/testassets/CspApplication/Pages/_ViewImports.cshtml b/CSP/test/testassets/CspApplication/Pages/_ViewImports.cshtml
new file mode 100644
index 000000000..3c712194d
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/_ViewImports.cshtml
@@ -0,0 +1,4 @@
+@using CspApplication
+@namespace CspApplication.Pages
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
+@addTagHelper Microsoft.AspNetCore.Csp.NoncedScriptTagHelper, Microsoft.AspNetCore.Csp
diff --git a/CSP/test/testassets/CspApplication/Pages/_ViewStart.cshtml b/CSP/test/testassets/CspApplication/Pages/_ViewStart.cshtml
new file mode 100644
index 000000000..a5f10045d
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Pages/_ViewStart.cshtml
@@ -0,0 +1,3 @@
+@{
+    Layout = "_Layout";
+}
diff --git a/CSP/test/testassets/CspApplication/README.md b/CSP/test/testassets/CspApplication/README.md
new file mode 100644
index 000000000..abe8417fe
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/README.md
@@ -0,0 +1,5 @@
+This is an example application to show how to set up the CSP middleware and configure the policy, and then have our nonces propagate to the templated HTML.
+
+## How to run
+1. Change the project name to `CspMiddlewareWebSite` and change the `IIS Express` entry to `CspApplication`.
+2. If you get build errors that complain about missing DLLs, try `.\build.cmd` from the repo root. If you're still getting missing DLL errors for `Microsoft.AspNetCore.Mvc`, try navingating to `src\Mvc` and then running the `.\build.cmd` there. You might have to install Node and put it on your path for the compilation of ASP.NET MVC to work.
diff --git a/CSP/test/testassets/CspApplication/Startup.cs b/CSP/test/testassets/CspApplication/Startup.cs
new file mode 100644
index 000000000..ab292d46c
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/Startup.cs
@@ -0,0 +1,63 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Csp;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+
+namespace CspApplication
+{
+    public class Startup
+    {
+        public Startup(IConfiguration configuration)
+        {
+            Configuration = configuration;
+        }
+
+        public IConfiguration Configuration { get; }
+
+        // This method gets called by the runtime. Use this method to add services to the container.
+        public void ConfigureServices(IServiceCollection services)
+        {
+            services.AddCsp();
+            services.AddRazorPages();
+        }
+
+        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+        {
+            // CSP configuration. Must come first because other middleware might skip any following middleware.
+            app.UseCsp(policyBuilder => policyBuilder.WithCspMode(CspMode.ENFORCING)
+                .WithReportingUri("/csp"));
+
+
+            // Not sure how many of these we absolutely need to do a basic templated HTML page with a reporting endpoint.
+            app.UseDeveloperExceptionPage();
+            app.UseStaticFiles();
+            app.UseRouting();
+            app.UseAuthorization();
+            app.UseEndpoints(endpoints =>
+            {
+                endpoints.MapRazorPages();
+            });
+        }
+
+        public static IWebHostBuilder CreateWebHostBuilder(string[] args)
+        {
+            return new WebHostBuilder()
+                .UseKestrel()
+                .UseIISIntegration();
+        }
+
+        public static void Main(string[] args)
+        {
+            var host = CreateWebHostBuilder(args).UseContentRoot(Directory.GetCurrentDirectory()).UseStartup<Startup>().Build();
+            host.Run();
+        }
+    }
+}
diff --git a/CSP/test/testassets/CspApplication/appsettings.Development.json b/CSP/test/testassets/CspApplication/appsettings.Development.json
new file mode 100644
index 000000000..8983e0fc1
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/appsettings.Development.json
@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft": "Warning",
+      "Microsoft.Hosting.Lifetime": "Information"
+    }
+  }
+}
diff --git a/CSP/test/testassets/CspApplication/appsettings.json b/CSP/test/testassets/CspApplication/appsettings.json
new file mode 100644
index 000000000..d9d9a9bff
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/appsettings.json
@@ -0,0 +1,10 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft": "Warning",
+      "Microsoft.Hosting.Lifetime": "Information"
+    }
+  },
+  "AllowedHosts": "*"
+}
diff --git a/CSP/test/testassets/CspApplication/wwwroot/css/site.css b/CSP/test/testassets/CspApplication/wwwroot/css/site.css
new file mode 100644
index 000000000..e679a8ea7
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/wwwroot/css/site.css
@@ -0,0 +1,71 @@
+/* Please see documentation at https://docs.microsoft.com/aspnet/core/client-side/bundling-and-minification
+for details on configuring this project to bundle and minify static web assets. */
+
+a.navbar-brand {
+  white-space: normal;
+  text-align: center;
+  word-break: break-all;
+}
+
+/* Provide sufficient contrast against white background */
+a {
+  color: #0366d6;
+}
+
+.btn-primary {
+  color: #fff;
+  background-color: #1b6ec2;
+  border-color: #1861ac;
+}
+
+.nav-pills .nav-link.active, .nav-pills .show > .nav-link {
+  color: #fff;
+  background-color: #1b6ec2;
+  border-color: #1861ac;
+}
+
+/* Sticky footer styles
+-------------------------------------------------- */
+html {
+  font-size: 14px;
+}
+@media (min-width: 768px) {
+  html {
+    font-size: 16px;
+  }
+}
+
+.border-top {
+  border-top: 1px solid #e5e5e5;
+}
+.border-bottom {
+  border-bottom: 1px solid #e5e5e5;
+}
+
+.box-shadow {
+  box-shadow: 0 .25rem .75rem rgba(0, 0, 0, .05);
+}
+
+button.accept-policy {
+  font-size: 1rem;
+  line-height: inherit;
+}
+
+/* Sticky footer styles
+-------------------------------------------------- */
+html {
+  position: relative;
+  min-height: 100%;
+}
+
+body {
+  /* Margin bottom by footer height */
+  margin-bottom: 60px;
+}
+.footer {
+  position: absolute;
+  bottom: 0;
+  width: 100%;
+  white-space: nowrap;
+  line-height: 60px; /* Vertically center the text there */
+}
diff --git a/CSP/test/testassets/CspApplication/wwwroot/favicon.ico b/CSP/test/testassets/CspApplication/wwwroot/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..a3a799985c43bc7309d701b2cad129023377dc71
GIT binary patch
literal 32038
zcmeHwX>eTEbtY7aYbrGrkNjgie?1jXjZ#zP%3n{}GObKv$BxI7Sl;Bwl5E+Qtj&t8
z*p|m4DO#HoJC-FyvNnp8NP<{Na0LMnTtO21(rBP}?EAiNjWgeO?z`{3ZoURUQlV2d
zY1Pqv{m|X_oO91|?^z!6@@~od!@OH>&BN;>c@O+yUfy5w>LccTKJJ&`-k<%M^Zvi(
z<$dKp=jCnNX5Qa+M_%6g|IEv~4R84q9|7E=|Ho(Wz3f-0wPjaRL;W*N^>q%^KGRr7
zxbjSORb_c&eO;oV_DZ7ua!sPH=0c+W;`vzJ#j~-x3uj};50#vqo*0w4!LUqs*UCh9
zvy2S%$#8$K4EOa&e@~aBS65_hc~Mpu=454VT2^KzWqEpBA=ME|O;1cn?8p<+{MKJf
zbK#@1wzL44m$k(?85<eW@6XRp%jD>=Obido7=C|xWKe%66$z)NrzRwR>?hK?_bbwT
z@Da?lBrBL}Zemo1@!9pYRau&!ld17h{f+UV0sY(R{ET$PBB|-=Nr@l-nY6w8HEAw*
zRMIQU`24Jl_IFEPcS=_HdrOP5yf81z_?@M>83Vv65$Q<HOixSl<aTM__jl4#^thzg
zR%8kDj}7!lG~6zIy}i=c(}UmYmfr3z>Fr9nP<Q2WYG!6yx=!tqj{N(it>g(wr`Ke8
zaY4ogdnMA*F7a4Q1_uXadTLUpCk;$ZPRRJ^sMOch;rlbvUGc1R9=u;dr9YANbQ<4Z
z#P|Cp9BP$FXNPolgyr1XGt$^lFPF}rmBF5rj1Kh5%dforrP<k8>8W}_qJ<Ai`=Ou7
z`ue&ogWfUli9DMc8&O<H4|y`$*Ck6>L$2qMBS-#%-|s#BPZBSETsn_EBYcr(W5dq(
z@f%}<eeQ3J;Ww5b2VCRhCywj)`%eE_;>C|iN7)YN`^)<MX{;gTi@1yp^{2@b;(+g`
zAt&imr^?OutN&RNC7A!n)B63jwKbWao5ecJ%hKY!EZ~|jkF}#Ltw6^3x5~;&{eFM-
zi;^sTLgE!Ky7P}i#{58fMnFeDcsGT0=<Dl~`uh4mC;g*M#nOM~MM+)Qlk@xhE}^NZ
zQ9_}Rw6?bH#)oeiA0L;6g#`s(=X#N*<>h7R?Cg}Do*w-!zwZb9=BMp%Wsh@nb22hA
zA{`wa8Q;yz6S)zfo%sl08^GF`9csI9BlGnEy#0^Y3b);M+n<(}6jziM7nhe57a1rj
zC@(2ISYBL^UtWChKzVWgf%4LW2Tqg_^7jMw`C$KvU+mcakFjV(BGAW9g%CzSyM;Df
z143=mq0oxaK-H;o>F<Rt1N8OKCQyfy(wj_3Pa+10N>3~zJ<(3-j&?|QBn)WJfP#JR
zRuA;`N?L83wQt78QIA$(Z)lGQY9r^SFal;LB^qi`8%8@y+mwcGsf~nv)bBy2S7z~9
z=;X@Gglk)^jpbNz?1;`!J3QUfAOp4U$Uxm5>92iT`mek#$>s`)M>;e4<M8Hm<td$i
zo%63^{uMj_JZyl2H|=@`4jvvW(-Ts0+?#)(Zm%@H_UF>{#%HAAcb^8_Ax%ersk|}#
z0bd;ZPu|2}18KtvmIo8`1@H~@2ejwo(5rFS`Z4&O{$$+ch2hC0=06Jh`@p+p8LZzY
z&2M~8T6X^*X?yQ$3N5EzRv$(FtSxhW>>ABUyp!{<Wz0W0IwJGaQ;Ngf)HrbH_i%t+
zRbG%E4pf{tRz1*<`LTY34f{a*UrA^`{Keb<8-DNe(tP~azWFT<h7USFe1h^|)$m|)
zY*glF%>484f8(%C1_y)3D%Qgfl_!sz`LTXOjR&L!zPA0qH_iNS!tY{!^2WfD%uT}P
zI<~&?@&))5&hPPHVRl9);TPO>@UI2d!^ksb!$9T96V(F){puTsn(}qt_WXNw4VvHj
zf;6A_XCvE`Z@}E-IOaG0rs>K>^=Sr&OgT_p;F@v0VCN0Y$r|Lw1?Wjt`AKK~RT*kJ
z2>QPuVgLNcF+XKn<s0*3P3iB*gT^a0vIzTZU|trn2Uv9c3Hh)9f3g4{&h?nbULpvN
z96n^`Pp`^wOQE#w`Lc8replMCXK8)sOVV=kx5^vt9Vp{-(Alv;%nuxzF#i;MKYb4U
zzQV*feDk<Wj*l6DJWwXMCX~$yAMpLrvcuJb0|Uy(;g%w4-TgPxaq!#HhPhjz2Q4Rm
zgZUv_3Y>o;WBv$yj@d_WFJbl*#*V_Cwzo@%3n5%z4g21G*PVZ)wM5$A{klYozmGlB
zT@u2+s}=f}25%IA!yNcXUr!!1)z(Nqbhojg0lv@7@0UlvUMT)*r;M$d0-t)Z?<y`V
ztR5U35HLVSIse|TN~8$;o%g;jAzZhXzwF3Z8snPGVLi>B1@qQk()o!4fqvfr_I0r7
zy1(NdkHEj#Yu{K>T#We#b#FD=c1XhS{hdTh9+8gy-vkcdkk*QS@y(xxEMb1w6z<^~
zYcETGfB#ibR#ql0EiD;PR$L&Vrh2uRv5t_$;NxC;>7_S5_OXxsi8udY3BUUdi55Sk
zcyKM+PQ9YMA%D1kH1q48OFG(Gbl=FmV;yk8o>k%0$rJ8%-IYsHclnYuTskka<HNc)
zw7%ikv18A{=YN3n^EKXnL?Q>iCGkUlkMY~mx&K}XRlKIW;odWIeuKjtbc^8bBOTqK
zjj(ot`_j?A6y_h%vxE9o*ntx#PGrnK7AljD_r58ylE<WT-@UlL8}x(!oZA8J5zU^H
z^A9LLlqc{rSK**`!q^J#O?mF{`>*oy@{IY%+mA^!|2vW_`>`aC{#3`#3;D_$^S^cM
zRcF+uTO2sICledvFgNMU@A%M)%8JbSLq{dD|2|2Sg8vvh_uV6*Q?F&rKaV{v_qz&y
z`f;stIb?Cb2!Cg7CG91Bhu@D@RaIrq-+o+T2fwFu#|j>lD6ZS9-t^5cx>p|?flqUA
z;Cgs#V)O#`Aw4$Kr)L5?|7f4izl!;n0jux}tEW$&&YB<mKXAV!4?lsqzpK~nm2X@%
zznz;rn1?^*{QmQRy*7FZTn2bH>Xz9o{+~HhoiYDJ`w5BVTl&ARya=M7zdy$FE<n#M
zl!>e}iGBur8XE>rhLj&_yDk5D4n2GJZ07u7%zyAfNtOLn;)M?h*Py-Xtql5a<V_m;
zgjM+PrKKg|+4S7GbD8ri{bv3|(WAftcJSQ3j463m3!*jX9@l3SwsIJ9$n(_<d<V}-
zdM?8m`TY6woc|B3{h0`#lz73zk}Uaq<w4i6rzBQ)?7HUX-1c18+m(<moCSvAXLye5
zh5c`8YLaL)x*b1$i#PuXiRV8kiNc2^j&+D1gdfb}|5oTH&30~%=gw3MWL>JOtL4<G
zQ+geX#i}{CfBuEhxKIYkhY836$5h(|e8hWgX@2-7&O3^caOQNC+RsJA9=Z|lz!|j~
zzv!M%E&bjs-ql8b^FEb%#q+R*m6a8_c=4j1p}V@eu9_R)yao8k1Y%7=kV>U8e|!t?
z((sc6&OJXrPdVef^wZV&x=Z&~uA7^ix8rly^rEj?#d&~pQ{HN8Yq|fZ#*bXn-26P^
z5!)xRzYO9{u6vx5@q_{FE4#7BipS#{&J7*>y}lTyV94}dfE%Yk>@@pDe&F7J09<pd
zBG-35{NWG(mj@qs;K5x_@BH1ar=NZmqYF>(-0|wuI|$of-MRfK51#t@t2+U|*s=W;
z!Y&t{dS%!4VEEi$efA!#<<7&04?kB}Soprd8*jYv;-Qj~h~4v>{XX~kjF+@Z7<<HU
zYqNw~nxvi3+#u~u4m8wBdt;r18fqQ5f-wkc<;fra!=7j)qI)jCZL`;m=MLi>t?^|i
z#>_ag2i-CRAM8Ret^rZt*^K?`G|o>1o(mLkewxyA)38k93`<~4VFI?5VB!kBh%NNU
zxb8K(^-MU1ImWQxG~nFB-Un;6n{lQz_FfsW9^H$Xcn{;+W^ZcG$0qLM#eNV=vGE@#
z1~k&!h4@T|IiI<47@pS|i?Qcl=XZJL#$JKve;booMqDUYY{(xcdj6STDE=n?;fsS1
ze`h~Q{CT$K{+{t+#*I1=&&-UU8M&}AwAxD-rMa=e!{0gQXP@6azBq9(ji11uJF%@5
zCvV`#*?;ZguQ7o|nH%bm*s&jLej#@B35gy32Z<i}p+w67N1l-O`bz9E2Q&Prl{J&c
zFtWxN6yt(CUz#|WFBayHKRA5RSe_Guv1?%CbBu>AE0`Pz@#j6R&kN5w{O4~1rhDoU
zEBdU)%Nl?8zi|DR((u|gg~r$aLYmGMyK%FO*qLvwxK5+cn*`;O`16c!&&XT{$j~5k
zXb^fbh<puUpgSc4h;a^JPcx88NIwB_wZ3>1GT-CI*Nj{-?r7HNg=e3E{6rxuluPXY
z5Nm8ktc$o4-^SO0|Es_sp!A$8GVwOX+%)cH<;=u#R#nz;7QsHl;J@a{5NUAmAHq4D
zIU5@jT!h?kUp|g~iN*!>jM6K!W5ar0v~fWrSHK@})@6Lh#h<Y-#lOkKs1PG-dHahJ
zM$9B!@NH=agbTkTEj7nH{j+*#V~1D+#UC`_oFZ}Me`Xv{@kczB_^%*-rLiN#^HvZC
zW(<sHDV`^1p=WbA*Ya%3^OlV(W{)pCXZUY^cUfk7fj?qhj5jjg$(WPI9Nz{#c;9@!
z)Zp*vi`o)@{L|5U;-82?ew;X@(E~@0um(f0$%}}ESvgw3SzYA_xsriy$PoeZL|V8W
z{@A2<JtHqX_pFg0#+X+jKYhgiuT=-g|90fanqL15WCybU=I0>)C6F6@)&-+C3(zO!
z8+kV|B7LctM3DpI*~EYo>vCj>_?x&H;>y0*vKwE<xtH<PVcLDjlozY_*>0?vi$CLt
zfSJB##P|M2dEUDBPKW=9cY-F;L;h3Fs4E<eJzSD0o_jT(!I%bYf7s+A4F4S&vU&{u
zGbX8LWQ`N}<B$_Fk65OWB{ME!ZERdNV}zY};koB_$6`_N2)YHB>2ERdN#NSL7ctAC
z?-}_a{*L@GA7JHJudx<WJi9vaTgF5Z9j)pgxL;;`&B{@bE%JPV^=rl!1jcq@Z#B+K
zI|2CR^UoXk0q$!Sf5ta~Z|k1Fh3?+3@pjdRw-9@${9~P5058{|`@~;!oxq)E`a}o(
z8TJsw+Xa=SEL)22TOOnx8*XCLjxTj%)P9=0>tDVA{K5Y<t}S3@pcVZ8Th-w<@*n!!
z{5Iw1^Pc<=f6hypBmP*AsZr+1oqVnGKO_xxS8yg@lnLzHXK^lHLXLT2Y)od6$6zjW
z9C6|q#F-b7CmbIcmKp4m7BvnvBs0jtGR{3Vggi9%Ow@12rlw(+%(c0Xy{wTRCzd-q
z*e0R(?n0dVtJ1#zZi$pWqOotrym_zr!eLj|ROWD&A`Mex27eRR=>h*k(%#x4W7w+^
zcb-+ofbT5ieG+@QG2lx&7!MyE2JWDP@$k`M;0`*d+oQmJ2A^de!3c53HFcfW_Wtv<
zKghQ;*FifmI}kE4dc@1y-u<d{7CivIL!OYgVGO<b{2`UIHP{i#n~qoq@_&@^AO(Z}
z#dBx%d`SP8OeFNo#JyrN5tr_+l*A&Pl8ncsJC&4ZX9w(URJxP6hTSsP33H9_bi)@%
zu_vKVG}rhHu7CFAlP>;@qs|V75Z^|Q0l0?teobTE8t<n*L#~=H98x(W?vyu^e<1&d
zVCNt|KKw6VydWvylS1AzNdOH7;z|Q?cL6+10ul;Q-^lCSu>Gl@EB?k#q_wUjypJ*R
zyEI=DJ^Z+d*&}B_xoWvs27LtH7972qqMxVFcX9}c&JbeNCXUZM0`nQIkf&C}&skSt
z^9fw@b^Hb)!^hE2IJq~~GktG#ZWwWG<`@V&ckVR&r=JAO4YniJewVcG`HF;59}=bf
zLyz0uxf6MhuSyH#-^!ZbHxYl<XIQZKGrvIGxelxgp{*E!yiZR}IrSkt->^mmBVrx)
zyrb8sQ*qBd_WXm9c~Of$&ZP$b^)<~0%nt#7<SN=BJIqx?5B)&%HI%7#(A9E*{D)1a
zzF<__h-;n;xMv$>y$1Jg$e}WCK>TeUB{P>|b1FAB?%K7>;XiOfd}JQ`|IP#Vf%kVy
zXa4;XFZ+>n;F>uX&3|4zqWK2u3c<>q;tzjsb1;d{u;L$-hq3qe@82(ob<3qom#%`+
z;vzYAs7TIMl_O75BXu|r`Qhc4UT*vN$3Oo0kAC!{f2#HexDy|qUpgTF;k{o6|L>7l
z=?`=*LXaow1o;o<tE{OE(?2=<A4MF}#OA>NNLXsGTrvC)$R&{m=94Tf+2iTT3Y_Or
z-!;^0a{kyWtO4vksG_3cyc7HQ0~detf0+2+qxq(e1NS251N}w5iTSrM)`0p8rem!j
zZ<hbA{CN2H;rvl^?u=Z#a9)8m2_BTo>56hGD=pHI*B+dd)2B`%|9f0goozCSeXPw3
z+58k~sI02Yz#lOneJzYcG)EB0|F+ggC6D|B`6}d0khAK<z1EteZqA7EX64Ap4|63J
zj4Um~{}W6Oi8&OL<FvV6o6oW%_Z}v%WpZ1@U(esz>-gz7U3EGT|M_9$ZINqZjwf>P
zJCZ=ogSoE`=yV5YXrcTQZx@Un(64*AlLiyxWnCJ9I<5Nc*eK6eV1Mk}ci0*NrJ=t|
zCXuJG`#7GBbPceFtFEpl{(lTm`LX=B_!H+&<jfTRckhNg0e{@1{I9PYT{krFIt@FQ
zg+FwG^sp{Y@uzMp4aUaWbr@wX&jIfL%sQAoAlG7w_&aAJ|2mvGb0(1gMt;7hdCnN>
z>$*<vlz7PxQ0w-nB#-=5Lba8aRA*erxDLBLmXZInYq6sEvo_D#CSM*dTb3*>Hf}}y
zkt@nLXFG9%v**s{z&{H4e?aq<G31K6PCl)5elgO3{9)UrlZrQaZ(c^0v}TWI7z^P2
zsLTIFwM(SQ+9#ebDO2=!Tnny)T?^fZ19!?2&qc&PopnY%cm7<U{45MZe<3%K{ohhL
zm~)LF=iB)n^a1x;FCKO9wu8Z+e$vIAGyqou>p%&l#oU8lxUxk2o%K+?aAe6jLojA&
z_|J0<&#5-%u^<;NT*%4)n2-OdqfctSl6iCHE?W_Q2zpJken#_xUJlidzs249H=b#g
z?}L4-Tnp6)t_5X?_$v)vz`s9@^BME2X@w<>sKZ3=B{%*B$T5Nj%6!-Hr;I!Scj`lH
z&2dHFlOISwWJ&S2vf~@I4i~(0*T%OFiuX|eD*nd2utS4$1_JM?zmp>a#CsVy6Er^z
zeNNZZDE?R3pM?>~e?H_N`C`hy%m4jb;6L#8=a7l>3eJS2LGgEUxsau-Yh9l~o7=Yh
z2mYg3`m5*3Ik|lKQf~euzZlCWzaN&=vHuHtOwK!2@W6)hqq$Zm|7`Nmu%9^F6UH?+
z@2ii+=iJ;ZzhiUKu$QB()nKk3FooI>Jr_IjzY6=qxYy;&mvi7BlQ?t4kRjIhb|2q?
zd^K~{-^cxjVSj?<hi6;nFqt>!Xs=Da5IHmFzRj!Kzh~b!?`P7c&T9s77VLYB?8_?F
zauM^)p;qFG!9PHLfIsnt43UnmV?Wn?Ki7aXSosgq;f?MYUuSIYwOn(5vWhb{f%$pn
z4ySN-z}_%7|B);A@PA5k*7kkdr4xZ@s{e9j+9w<CJ?O>;*RFm;XPDQwx%~;8i<oa^
zexLQs#C;Swe&jxL;2)Pn5quSD44CilIrSXYU_0#4b{VXBL&8lp8{)5e>BzSKTIGKO
z{53ZZU*OLr@S5=k;?CM^i#zkxs3Sj%z0U`L%q`qM+t<Pf&d|V}H3F<zNPq^dnLw>P
zX$aL;*^g$7<Ue(mJhn9?_FDN)+hp<2y0&!%%(W5co>UyM2Go+_4A+f)IQcy^G$h2E
zb?nT$<GLCMXx=#+f8x!0hdAV2X~A_&-#?U7{;x-VC^O92Wb?eSzE+S6RX|=;&pC$<
z9g@=0Qq9>XlgTEFJI8GN6NQf%-eVn9mPilRqUbT$pN-|;FEjq@Ao&TxpZg=mEgBHB
zU@grU;&sfmqlO=6|G3sU;7t8rbK$?X0y_v9$^{X`m4jZ_BR|B|@?ZCLSPPEzz`w1n
zP5nA;4(kQFKm%$enjkkBxM%Y}2si&d|62L)U(dCzCGn56HN+i#6|nV-TGIo0;W;`(
zW-y=1KF4dp$$mC_|6}pbb>IHoKQeZajXQB>jVR?u`R>%l1o54?6NnS*arpVopdEF;
zeC5J3*M0p`*8lif;!irrcjC?(uExejsi~>4wKYwstGY^N@KY}TujLx`S=Cu+T=!dx
zKWlPm->I**E{A*q-Z^FFT5$G%7Ij0_*Mo4-y6~RmyTzUB&l<K=Dpmb{^4-!94u`ca
zdNVoO>fae(WZfO>um}mnsDXPEbau-!13!!xd!qh*{C)6&bz0j1I{>y$D-S)b*)J<Y
zxc^5t3qJV45B`taZ@>MCPk!=~KL&6Ngin0p6MCOxF2L_R9t8N!$2Wpced<#`y!F;w
zKTi5V_kX&X09wAIJ#anfg9Dhn0s7(C6Nj3S-mVn(i|C6ZAV<aixb6h<Sg0H6jw4qU
zV~?Bz5!)*lmM-iqJqY1C7nsj&+qP{N{V-~a1^op#4Sw~jUm=fL>q0$hE)874co};g
z^hR7pe4lU$P;*ggYc4o&UTQC%liCXooIfkI3TNaBV%t~FRr}yHu7kjQ2J*3;e%;iW
zvDVCh8=G80KAeyhCuY2LjrC!Od1rvF7h}zszxGV)&!)6ChP5WAjv-zQAMNJIG!JHS
zwl?pLxC-V5II#(hQ`<T9_no>l)ZAp&M0xd4%cxmco*MIk?{BD=BK`1vpc}D39|XlV
z{c&0oGdDa~TL2FT4lh=~1NL5O-P~0?V2#ie`v^CnANfGUM!b4F=JkCwd7Q`c8Na2q
zJGQQk^?6w}Vg9-{|2047((lAV84uN%sK!N2?V(!_1{{<Jh_kyRt}|;t96pc-^Er3`
zo}iC2gMPObPU{|m=x2|p6X&-wXJt%zkSPP3@xa!}dGs%8Jc%(S1BMS)CX6g%9UNV-
z>v6rdgZl56f0zDMQ+q)jKzzu^ztsVken;=DjAh6G`Cw`Q4G+BjS+n*=KI~^K{W=%t
zbD-rN)O4|*Q~@<#@1Vx$E!0W9`B~IZeFn87sHMXD>$M%|Bh93rdGf1lKo<R02YmTL
zqhr<%m_BFM7Fa&y947^SQ}y4{ZAaF|G`@C+sh521)5?cN^cOe0_9@gH-Y$)(pJd(P
z_1X@lpSgXfMnLNXGU%rcETRu24v0w?{GLKAA}IoVUkW|qDfm7YI>X3K651t&nhsl=
zXxG|%@8}Bbrlp_u#t*DZX<}_0Yb{A9*1Pd_)LtqNwy6xT4pZrOY{s?N4)pPwT(i#y
zT%`lRi8U#Ken4fw>H+N`{f#FF<O6FlgJ{<Kj?Q@Wliwb+>?ZxFlLZg7z7#cr4X>id
z{9kUD`d2=w_Zlb{^c`5IOxWCZ1k<0T1D1Z31IU0Q2edsZ1K0xv$pQVYq2KEp&#v#Z
z?{m@Lin;*S<!No<o1d3X^w>tr(C2sfF^L>{R3cjY`~#)m>Wm$Y|1fzeS0-$(Q^z@}
zEO*vlb-<?wRtMA$a{Uv^+e}~R^M`&pP`_w=4t2sW50+lDC-HjPUHYxxaYn6a!kV+c
zpX(pPb74a0@ugg}?EV6381FQ7Pgs9Tw;k1Ys~vUZ0Q%wWr;HEDO@F2gSo*u52fF@{
z0q%z~Y=K`6U=z3xA^l!GtVgeR&-iJVe)8J~tTk;$y|}FzXPtY??k~a~!Uo`(3(c&V
z#ovwmXW9;9NBlZr@{{g90y1FeXN>^XK9>w&Ef^=Zzo-1AFSP#9zb~X5_+){$(eB4K
z8gtW+nl{q+CTh+>v(gWrsP^DB*ge(~Q$AGxJ-eYc1isti%$%nM<_&Ev?%|??PK`$p
z{f-PM{Ym8k<$$)(F9)tqz<CJIAM$L1BM%w-GTk@RUOM3L%cGxlX&$hqjP-p4?g8S*
zf2wthE%1v3ttI8(g6O9&p&r4WTH3u4^(Uy`C@Z$~Z!QCFO|beXXOCj#AWIfZKZ&zf
zwlZ<mX#YOv`9G~&1pUsa&k{hbqt<3(t(AT}<AbzwZ(!($j*x!R8U(=C*57b6bs&@n
z(qG`LzmNXS_5(h-GP;nxKcZc<fIT|*=|N!k@%Sua0Na&@Ec*Fei5AudgZ5_Zb=dRL
zy5~!dP56w~t?J)Mzt3*i+F{ENmwwIvn;HPhLRoR4kA5Ey0`~*<Tu44!-QpM^3mNiY
zd69ec=!ec>FJ?h&Dk<xHrU>@D?Dt{4CHKJWLs8$zy6+(R)pr@0ur)xY{=uXFFzH_>
z-F^tN1y(2hG8V)GpDg%wW0Px_ep~nIjD~*HCSxDi0y`H!`V*~RHs^uQsb1*bK<T$Q
z`bO#l_@MP@_8AMlIwG!r58^)LK@V~`<U<c)KlBAULJoQm1LD58CzVp$)XfpU%erPW
z8sA`jr0x}Uuf#ng_s;N@pg(vtd+S{Ehw)4s))#8cIdmaez5{i`_h`*|+aA>1qGpmd
zB1m`Cjw0`nLBF2|umz+a#2X$c?Lj;M?Lj;MUp*d>7j~ayNAyj@SLpeH`)BgRH}byy
zyQSat!;U{@O(<<2fp&oQkIy$z`_CQ-)O@RN;QD9T4y|wIJ^%U#(BF%=`i49}j!D-)
zkOwPSJaG03SMkE~BzW}b_v>LA&y)EEYO6sbdnTX*$>UF|JhZ&^MSb4}Tgbne_4n+C
zwI8<r-Iaf>U4i~PI>7a3{kVa8<kbN6eyGEHKpnx06E+}DNbur?yk^WW2oOhPEHMzw
z=X22?2K^zfKk0w-3x<B|f7Kqq?vehsJ&ym&vK>|))*%C0|K+bIbmV~a`|G#+`TU#g
zXW;bWIcWsQi9c4X*RUDpIfyoPY)2bI-r9)xulm1CJDkQd6u+f)_N=w1ElgEBjprPF
z3o?Ly0RVeY_{<?)|7`m4UeEKeU77W{UX5;9iATSc1JZBhfY1KP&`I@+zH<_On{%uq
zN9diKefHP4moxi1V~=fpz8!PYj~a2-Rue*yfn@o1>3~fPVckRMxe2lM8hj!B8F)JO
z!`AP6>u>5Y&3o9t0QxBpN<VbL&~J6p@r$}YA`b%i;P8Su%#HYA>E=lJx#NyIbp1gD
zzUYBIPYHIv9ngk-Zt~<)62^1Zs1LLYMh@_tP^I7EX-9)Ed0^@y{k65Gp0KRcTmMWw
zU|+)qx{#q0SL+4q?Q`i0>COIIF8a0Cf&C`hbMj?LmG9K&iW-?PJt*u)38tTXAP>@R
zZL6uH^!RYNq$p>PKz7f-zvg>OKXcZ8h!%Vo@{VUZp|+iUD_xb(N~G|6c#oQK^nHZU
zKg#F6<)+`rf~k*Xjjye<Hud7yLjT^qdxgMfvTOvezVxCTF3Oif0G_WIV`7|<P~nWc
ze(AR_33^2C!`bid4}IuE|D80@5BovapS?PO_T6`4{db`M<z8uj=gZLlJGJM6&pb2V
z_4I~1<lonN^!s_xCx=V%oYNfrBiZ*!d-lDc_piSEqKx(?Wdva3^UN8rzr^2Ta=Q97
zbMnl0{t<JZx`tWn&mJE>+syV{bwU2glMMMs-^ss4`bYaVroXzn`YQUd__UlZL_mLs
z(vO}k!~(mi|L+(5&;>r<;|OHnbXBE78LruP;{yBxZ6y7K3)nMo-{6PCI7gQi6+rF_
zkPod!Z8n}q46ykrlQS|hVB<q)&YlUNAEf(Uu_DAf!GkDzUD%_;=Nj{#_Uqt1dtf5y
z;SZ7>(}(2Kf7BCZ>Vc;V>ccbk2~NGaf6wGQH@W9&?Zt3v(h*P4xDrN>ex7+jH*+Qg
z%^jH$&+*!v{sQ!xkWN4+>|b}qGvEd6ANzgqoVy5Qfws}ef2QqF{iiR5{pT}PS&yjo
z>lron#va-p=v;m>WB+XVz|o;UJFdjo5_!RRD|6W{4}A2a#bZ<YY5zOXFUQ`X@ZP(W
z{s{U%j85F8y<6<33tE5Ak68a_c;MC|yL{ktG|gVY^ADbn^!84m*MEMxiVt3lk+CKA
zNb%h3<?@Xjs4RdF=h6F?ZU20tua_~bKYP8{-xA*Y4e7!9EB(0Udp_^a`hUOO;5Gl#
z5jHhr?F00{?z@eCP$vBJ+iSab%;E!Oz$Xi%DibEYrm<#?yF0OWCss@zphsqN`q5Lu
zz8>v)gS_`b|KsSH)Sd_JIr%<%n06TX&t{&!H#{)?4W9hlJ`R1>FyugOh3=D_{einr
zu(Wf`qTkvED+gEULO0I*Hs%f;&=`=X4;N8Ovf28x$A*11`dmfy2=$+PNqX>XcG`h%
zJY&A6@&)*WT^rC(Caj}2+|X|6cICm5h0OK0cGB_!wEKFZJU)OQ+TZ1q2bTx9hxnq&
z$9ee|f9|0M^)#E&Pr4)f?o&DMM4w>Ksb{hF(0|wh+5_{vPow{V%TFzU2za&gjttNi
zIyR9qA56dX52Qbv2aY^g`U7R43-p`#sO1A=K<Q;83+yZ2l>S2aKgfR+Yu^bQ*i-qu
z%0mP;Ap)B~zZgO9lG^`325gOf?iUHF{~7jyGC)3L(eL(SQ70VzR~wLN18tnx(Cz2~
zctBl1kI)wAe+cxWHw*NW-d;=pd+>+wd$a@GBju*wFvabSaP<Ja6qEsn*3Id6d4Rqr
z^l|y<AEzB~*WX9~0M>tHiT!o#QFC+wBVwYo3s=y;z1jM+M=Fj!FZM>UzpL-eZzOT(
zhmZmEfWa=%KE#V3-ZK5#v!Hz<pvTgWaXk$=0q8wlZ_?`kYW{7!0CX>d{zc^{ctF~-
z>DT-U`}5!fk$aj24`#uGdB7r`>oX5tU|d*b|N3V1lXmv%MGrvE(dXG)^-J*LA>$LE
z7kut4`zE)v{@Op|(|@i#c>tM!12FQh?}PfA0`Bp%=%*RiXVzLDXnXtE@4B)5uR}a>
zbNU}q+712pIrM`k^odG8dKtG$zwHmQI^c}tfjx5?egx3!e%JRm_64e+>`Ra1IRfLb
z1KQ`SxmH{cZfyVS5m(&`{V}Y4j6J{b17`h6KWqZ&hfc(<m44z)dfXB6&vU2slR>oR
zxM%w!$F(mKy05kY&lco3%zvLCxBW+t*rxO+i=qGMvobx0-<7`VUu)ka`){=ew+Ovt
zg%52_{&UbkUA8aJPWsk)gYWV4`dnxI%s?7^fGpq{ZQuu=VH{-t7w~K%_E<8`zS;V-
zKTho*>;UQQul^1GT^HCt@I-q?)&4!QDgBndn?3sNKYKCQFU4LGKJ$n@Je$&w9@E$X
z^p@iJ(v<nWs((bE+M|w5L=Us_;lY2i^s{%yg6)%J4-lXC#CZGW^gpJ(s_ajV?!O=O
z|C7?MHi32l&s(N{*pmI<M2@dV_Wj@S_qE!d#UR?*C(6D*_Cak*KlNXGMIrBy1N}FN
z@XUh*`bF7$*>&`1(tq~1zc>0Vow-KR&vm!GUzT?Eqgnc)leZ9p)-Z*C!zqb=-$XG0
z^!8RfuQs5s>Q~qcz92(a_Q+KH?C*vCTr~UdTiR`JGuNH8v(J|FTiSEcPrBpmHRtmd
zI2Jng0J=bXK);YY^rM?jzn?~X-Pe`GbAy{D)Y6D&1GY-EBcy%Bq?bKh?A>DD9DD!p
z?{q02wno2sraGUkZv5dx+J8)&K$)No43Zr(*S`FEdL!4C)}WE}vJd%{S6-3VUw>Wp
z?Aasv`T0^%P$2vE?L+Qhj~qB~K%eW)xH(=b_jU}TLD&BP*Pc9hz@Z=e0nkpLkWl}>
z_5J^i(9Z7$(XG9~I3sY)`OGZ#_L06+Dy4E>UstcP-rU@xJ$&rxvo!n1Ao`P~KLU-8
z{zDgN4-&A6N!kPSYbQ&7sLufi`YtE2uN$S?e&5n>Y4(q#|KP!cc1j)T^QrUXMPFaP
z_SoYO8S8G}Z$?AL4`;pE?7J5K8yWqy23>cCT2<b;m*$JK^VtIU_Y$NB`p^DNyaH+G
z{mp3Lmvg;t<h!|kGyA^37d!i!w9>{=-)+A$X^-I9=e!@J@A&-;Ufc)`H}c(VI&;0x
zrrGv()5mjP%jXzS{^|29?bLNXS0bC%p!YXI!;O457rjCEEzMkGf~B3$T}dXBO23tP
z+Ci>;5UoM?C@bU@f9G1^X3=ly&ZeFH<@|RnOG--A&)fd)AUgjw?%izq{p(KJ`EP0v
z2mU)P!+3t@X14DA=E2RR-|p${GZ9ETX=d+kJRZL$nSa0daI@&oUUxnZg0xd_xu>Vz
lzF#z5%kSKX?YLH3ll^(hI(_`L*t#Iva2Ede*Z;>H_<!%{oZJ8a

literal 0
HcmV?d00001

diff --git a/CSP/test/testassets/CspApplication/wwwroot/js/example.js b/CSP/test/testassets/CspApplication/wwwroot/js/example.js
new file mode 100644
index 000000000..c0bc6fb32
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/wwwroot/js/example.js
@@ -0,0 +1 @@
+alert("I'm a link-loaded script!");
diff --git a/CSP/test/testassets/CspApplication/wwwroot/js/site.js b/CSP/test/testassets/CspApplication/wwwroot/js/site.js
new file mode 100644
index 000000000..580cf0f85
--- /dev/null
+++ b/CSP/test/testassets/CspApplication/wwwroot/js/site.js
@@ -0,0 +1,6 @@
+// Please see documentation at https://docs.microsoft.com/aspnet/core/client-side/bundling-and-minification
+// for details on configuring this project to bundle and minify static web assets.
+
+// Write your Javascript code.
+
+alert("I'm a link-loaded script!");