security: remove style-src unsafe-inline

[BenjaminMichaelis]

Why

The CSP style-src policy still allowed unsafe-inline, which weakens XSS protections by permitting arbitrary inline styling. This change hardens CSP while keeping existing UI behavior intact.

What changed

• Removed unsafe-inline from style-src in EssentialCSharp.Web/Program.cs.
• Replaced inline style="..." attributes in affected Razor views with CSS classes.
• Added centralized CSS rules in wwwroot/css/styles.css for:
  • MCP setup container/summary styling
  • Password strength meter sizing
  • Guideline icon spacing and color variants
  • Book/logo image heights
• Updated guideline color rendering from inline color values to type-to-class mapping.

Notes

• script-src still includes unsafe-inline and was intentionally left unchanged in this PR to keep scope focused on style-src.
• In this environment, frontend-inclusive build steps are blocked by disk space during npm ci; backend build succeeds with -p:SkipFrontendBuild=true.

[Copilot]

Pull request overview

Hardens the site’s Content Security Policy by removing unsafe-inline from style-src and migrating several inline style="..." usages in Razor views into shared CSS classes to preserve UI layout under stricter CSP.

Changes:

• Removed unsafe-inline from the CSP style-src directive in Program.cs.
• Replaced a handful of inline style attributes in Razor views with Bootstrap/util classes and new custom CSS classes.
• Added centralized CSS rules to wwwroot/css/styles.css for MCP setup layout, password strength meter, guideline icon styling, and common image sizing.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
EssentialCSharp.Web/Program.cs	Removes unsafe-inline from style-src in the generated CSP header.
EssentialCSharp.Web/wwwroot/css/styles.css	Adds new CSS classes intended to replace inline styles (MCP setup, password meter, guideline icons, image sizing).
EssentialCSharp.Web/Views/Shared/_Layout.cshtml	Replaces an inline display:none with a Bootstrap d-none class for the DocSearch container.
EssentialCSharp.Web/Views/McpSetup/Index.cshtml	Replaces inline max-width and summary styling with new CSS classes.
EssentialCSharp.Web/Views/Home/Home.cshtml	Replaces inline book image height with a shared CSS class.
EssentialCSharp.Web/Views/Home/About.cshtml	Replaces inline image heights with shared CSS classes (logo + book cover).
EssentialCSharp.Web/Views/Home/Guidelines.cshtml	Changes guideline icon coloring from inline style to type→CSS-class mapping.
EssentialCSharp.Web/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml	Replaces inline form display style with Bootstrap utility class.
EssentialCSharp.Web/Areas/Identity/Pages/_PasswordStrengthMeter.cshtml	Replaces inline progress height/width styles with CSS classes.

Comments suppressed due to low confidence (1)

EssentialCSharp.Web/Program.cs:516

• Removing 'unsafe-inline' from style-src will cause CSP violations for existing inline styles and script-driven style mutations. For example: Views/McpSetup/Index.cshtml still contains an inline <style> block (see around line ~383), and several first-party scripts set styles via element.style (e.g., wwwroot/js/password-strength.js sets bar.style.width, wwwroot/js/consent-manager.js toggles details.style.display, wwwroot/js/trydotnet-module.js sets heading.style.*). With the new CSP, these will be blocked and can break UI behaviors. Consider either (a) eliminating these inline styles/style mutations (move rules to CSS + switch to class toggles), or (b) explicitly allowing style attributes via style-src-attr 'unsafe-inline' (and/or style-src-elem as appropriate) if you want to keep JS-driven styling while still tightening style-src.

            string csp = string.Join("; ",
                $"default-src 'self'",
                $"script-src 'self' 'unsafe-inline' cdn.jsdelivr.net www.clarity.ms www.googletagmanager.com js.monitor.azure.com https://hcaptcha.com https://*.hcaptcha.com{tryDotNetSources}",
                $"style-src 'self' cdnjs.cloudflare.com fonts.googleapis.com https://hcaptcha.com https://*.hcaptcha.com",
                $"font-src 'self' fonts.gstatic.com cdnjs.cloudflare.com",
                $"img-src 'self' data: https:",
                $"connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.pwnedpasswords.com https://*.algolia.net https://*.algolianet.com https://*.google-analytics.com https://*.clarity.ms https://*.in.applicationinsights.azure.com{GetApplicationInsightsCspSources(app.Configuration["APPLICATIONINSIGHTS_CONNECTION_STRING"], app.Logger)}{tryDotNetSources}",
                $"frame-src https://hcaptcha.com https://*.hcaptcha.com https://newassets.hcaptcha.com{tryDotNetSources}",
                $"worker-src blob:",

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.