Added helpers to simplify delivery of HTML documents through ASP.NET …

…Core. Added automation for Content Security Policy "nonce".

Examples/AspNetPageEmitter/Program.cs

@@ -7,8 +7,17 @@
 
 var app = builder.Build();
 
-app.MapFallback((HttpContext context) =>
-    context.WriteDocumentAsync(new TestDocument()));
+app.Use((context, next) =>
+{
+    context.Response.GetTypedHeaders().CacheControl = new Microsoft.Net.Http.Headers.CacheControlHeaderValue()
+    {
+        Private = true,
+        NoCache = true,
+    };
+
+    return next();
+});
+app.MapFallback(new TestDocument().WriteToAsync);
 
 await app.RunAsync().ConfigureAwait(false);
 
@@ -21,20 +30,7 @@ class TestDocument : IHtmlDocument
     Task IHtmlDocument.WriteBodyContentsAsync(HtmlWriter writer, CancellationToken cancellationToken)
     {
         writer.WriteElement("p", null, children => children.WriteText("Test bytes."));
+        writer.WriteScript(ValidatedScript.ForInlineSource("console.log('test')"));
         return Task.CompletedTask;
     }
 }
-
-static class Extensions
-{
-    public static Task WriteDocumentAsync(this HttpContext context, IHtmlDocument document)
-    {
-        var request = context.Request;
-        var response = context.Response;
-        response.ContentType = "text/html; charset=utf-8";
-        var baseUri = $"{request.Scheme}://{request.Host}/";
-        response.Headers.ContentSecurityPolicy = $"default-src {baseUri}; base-uri {baseUri}";
-
-        return document.WriteAsync(response.BodyWriter, context.RequestAborted);
-    }
-}

HtmlUtilities/HtmlDocumentExtensions.cs

@@ -1,4 +1,5 @@
-using System.Buffers;
+using Microsoft.AspNetCore.Http;
+using System.Buffers;
 
 namespace HtmlUtilities;
 
@@ -8,19 +9,25 @@ namespace HtmlUtilities;
 public static class HtmlDocumentExtensions
 {
     /// <summary>
-    /// Writes the document to <paramref name="writer"/>.
+    /// Writes the document to <paramref name="context"/>.
     /// </summary>
     /// <param name="document">The document to write.</param>
-    /// <param name="writer">Receives the written document.</param>
-    /// <param name="cancellationToken">Cancels emission of document data.</param>
-    /// <returns></returns>
-    public static async Task WriteAsync(
-        this IHtmlDocument document,
-        IBufferWriter<byte> writer,
-        CancellationToken cancellationToken = default)
+    /// <param name="context">Receives the written document.</param>
+    /// <returns>A task that shows completion when the document is written.</returns>
+    public static Task WriteToAsync(this IHtmlDocument document, HttpContext context)
     {
         ArgumentNullException.ThrowIfNull(document, nameof(document));
-        cancellationToken.ThrowIfCancellationRequested();
+        ArgumentNullException.ThrowIfNull(context, nameof(context));
+
+        var request = context.Request;
+        var response = context.Response;
+        response.ContentType = "text/html; charset=utf-8";
+        Span<char> cspNonceUtf16 = stackalloc char[32];
+        System.Security.Cryptography.RandomNumberGenerator.GetHexString(cspNonceUtf16, true);
+        response.Headers.ContentSecurityPolicy = $"base-uri {request.Scheme}://{request.Host}/;default-src 'none';script-src 'unsafe-inline' 'nonce-{cspNonceUtf16}'";
+        // unsafe-inline only applies to browsers that don't support nonce. Can be removed someday.
+
+        var writer = context.Response.BodyWriter;
 
         writer.Write("<!DOCTYPE html><html"u8);
 
@@ -50,8 +57,8 @@ public static async Task WriteAsync(
 
         writer.Write("</head><body>"u8);
 
-        await document.WriteBodyContentsAsync(new HtmlWriter(writer), cancellationToken).ConfigureAwait(false);
+        return document.WriteBodyContentsAsync(new HtmlWriter(writer, new Validated.ValidatedAttribute("nonce", cspNonceUtf16)), context.RequestAborted);
 
-        writer.Write("</body></html>"u8);
+        // HTML5 spec doesn't require </body></html>, so that simplifies things a bit here.
     }
 }

HtmlUtilities/HtmlUtilities.csproj

@@ -8,4 +8,7 @@
     <AllowUnsafeBlocks>True</AllowUnsafeBlocks>
     <AnalysisMode>Recommended</AnalysisMode>
   </PropertyGroup>
+  <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+  </ItemGroup>
 </Project>

HtmlUtilities/HtmlWriter.cs

@@ -9,17 +9,24 @@ namespace HtmlUtilities;
 /// A high-performance writer for HTML content.
 /// </summary>
 /// <remarks>UTF-8 is always used.</remarks>
-public readonly struct HtmlWriter
+public sealed class HtmlWriter
 {
     private static readonly ValidatedElement html = new(
         "<!DOCTYPE html><html>"u8.ToArray(),
         "</html>"u8.ToArray());
 
     private readonly IBufferWriter<byte> writer;
+    private readonly ValidatedAttribute cspNonce;
 
     internal HtmlWriter(IBufferWriter<byte> writer)
+        : this(writer, new ValidatedAttribute())
+    {
+    }
+
+    internal HtmlWriter(IBufferWriter<byte> writer, ValidatedAttribute cspNonce)
     {
         ArgumentNullException.ThrowIfNull(this.writer = writer, nameof(writer));
+        ArgumentNullException.ThrowIfNull(this.cspNonce = cspNonce, nameof(cspNonce));
     }
 
     /// <summary>
@@ -317,6 +324,7 @@ public void WriteScript(ValidatedScript script)
             throw new ArgumentException("script was never initialized.", nameof(script));
 
         writer.Write("<script"u8);
+        writer.Write(this.cspNonce.value);
         writer.Write(script.value);
         writer.Write("</script>"u8);
     }

HtmlUtilities/IHtmlDocument.cs

@@ -1,5 +1,4 @@
 using HtmlUtilities.Validated;
-using System.Buffers;
 
 namespace HtmlUtilities;
 
@@ -35,6 +34,8 @@ public interface IHtmlDocument
     /// <remarks>By default, directs the viewer to https://github.com/RyanLamansky/html-utilities to learn how to use this function.</remarks>
     Task WriteBodyContentsAsync(HtmlWriter writer, CancellationToken cancellationToken = default)
     {
+        ArgumentNullException.ThrowIfNull(writer, nameof(writer));
+
         writer.WriteElement("p", null, children =>
         {
             writer.WriteText("Visit ");