CSP for Blazor

[Ponant]

Hello,
I would like to know if there is any plan to make the Blazor Framework more strict when it comes to Content Security Policy, especially in the current context of using tokens in session storage (Azure B2C in our case). I am referring to unsafe-eval and unsafe-inline in the docs,
https://docs.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-6.0

Also the idea of using hashes more than allowed lists, see docs above.
That will become important, in my opinion, sooner or later as part of security standards (CSP is widely ignored unfortunately).

[damienbod]

I have this problem as well and due to the Javascript created / required by Blazor, the CSP can not be implemented in a good way. The following script is generated:

<script>
var Module; window.__wasmmodulecallback__(); delete window.__wasmmodulecallback__;
</script>

Can the Javascript not be improved? Due to the Blazor Javascript, the CSP for the script-src is defined with

script-src 'self' 'unsafe-inline' 'unsafe-eval'

It would be really cool if this could be improved.

Greetings Damien

[damienbod]

Also have a problem with the aspnetcore-browser-refresh.js script in dev. Would it be possible to add a way to add a CSP nonce to this script? I could disable this for dev, but I think it would be a better solution not the disable part of the CSP for local dev.

[Ponant]

Hi @damienbod , indeed the browser refresh feature is a mess with CSP, it blocks, hangs and so on.
I have made a small library which focuses on performance an directness rather than being fluent and so on. Basic tests have been made and will probably need improvement. If you wish I can drop it on github. I made this library after realizing that existing ones either have perf issues or a wrong approach to CSP (at least from my understanding). But it is made for server side and .Net 6. code style. Cheers

[Ponant]

@damienbod , there is a placeholder issue on CSP on general, #6001 .
So, I believe we should migrate the questions to this issue in this way the .Net people can better track the need for CSP stuff etc and perhaps respond. So I will close this one.

[damienbod]

@Ponant I don't think you should close this issue. This is the fix for the Blazor stuff which prevents a good CSP definition, how you implement the CSP is a different topic.

[Ponant]

OK