-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP for Blazor #34428
Comments
I have this problem as well and due to the Javascript created / required by Blazor, the CSP can not be implemented in a good way. The following script is generated:
Can the Javascript not be improved? Due to the Blazor Javascript, the CSP for the script-src is defined with
It would be really cool if this could be improved. Greetings Damien |
Also have a problem with the aspnetcore-browser-refresh.js script in dev. Would it be possible to add a way to add a CSP nonce to this script? I could disable this for dev, but I think it would be a better solution not the disable part of the CSP for local dev. |
Hi @damienbod , indeed the browser refresh feature is a mess with CSP, it blocks, hangs and so on. |
@damienbod , there is a placeholder issue on CSP on general, #6001 . |
@Ponant I don't think you should close this issue. This is the fix for the Blazor stuff which prevents a good CSP definition, how you implement the CSP is a different topic. |
OK |
@damienbod , hi, here is the code as promised (sorry for the delay I was out on holliday!), #6001 . Your comments are most welcomed. |
|
cc/ @radical based on the git blame history. What would the feasibility be to remove |
Okay having #36771 close out this issue. With that PR, Created #36805 to investigate remove the inline module script in Blazor Wasm, in the interim the Lastly, created dotnet/runtime#59416 to investigate feasibility of removing |
Reflects changes in dotnet/aspnetcore#36771 / dotnet/aspnetcore#34428. Created dotnet/aspnetcore#36805 to track removal of the inline script which requires the `sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=` hash.
* Blazor Server Allow Unsafe Inline For: #34428 * Update MonoPlatform.ts * Fix DefaultReconnectDisplay.test * PR Feedback
* Blazor Server Allow Unsafe Inline For: #34428 * Update MonoPlatform.ts * Fix DefaultReconnectDisplay.test * PR Feedback
@TanayParikh IMO, this issue still needs to be open because they are 3 aspects of Blazor WASM which are forcing us to incorporate a lax CSP
|
Hi @indcoder. The fixes from this issue were mainly targeted towards Blazor Server.
This should be done already. The only thing on "Hold" is the documentation. It will be released inline with the release to avoid confusion.
This has an external dependency on
Using #33068 to track this. |
Thank you @TanayParikh for the clarification and by spawning them into their own individual issues for better tracking and triaging. Going with the below as for now in my Azure SWA. Hunted them by going default-src none {
"content-security-policy": "default-src 'none'; object-src 'none'; connect-src 'self' ; script-src 'self' 'sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=' 'unsafe-eval'; font-src 'self'; img-src 'self' data: https:; upgrade-insecure-requests;"
},
Only delta from below is font-src |
Hello,
I would like to know if there is any plan to make the Blazor Framework more strict when it comes to Content Security Policy, especially in the current context of using tokens in session storage (Azure B2C in our case). I am referring to
unsafe-eval
andunsafe-inline
in the docs,https://docs.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-6.0
Also the idea of using hashes more than allowed lists, see docs above.
That will become important, in my opinion, sooner or later as part of security standards (CSP is widely ignored unfortunately).
The text was updated successfully, but these errors were encountered: