Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Blazor CSP guidance #31105

Closed
guardrex opened this issue Nov 22, 2023 · 0 comments · Fixed by #31106
Closed

Update Blazor CSP guidance #31105

guardrex opened this issue Nov 22, 2023 · 0 comments · Fixed by #31106
Assignees
@guardrex
Labels
8.0 .NET 8 Blazor doc-enhancement Pri1

Comments

@guardrex
Copy link
Collaborator

guardrex commented Nov 22, 2023
edited
Loading

Description

I see some things right off the bat that we'll need to take a look at, but I'll postpone further analysis and work until after the 🦃 Day holiday weekend.

Using the article's existing CSPs in Development, the apps 💥 ...

Blazor WebAssembly App console:

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). content-scripts.js:1:68303

Content-Security-Policy: The page’s settings blocked the loading of a resource at http://localhost:50718/51c2056085fd4c939faa2de8d70c75d7/browserLinkSignalR/negotiate?requestUrl=https%3A%2F%2Flocalhost%3A7192%2F&browserName=&userAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A120.0)+Gecko%2F20100101+Firefox%2F120.0&browserIdKey=window.browserLink.initializationData.browserId&browserId=de81-34e8&clientProtocol=1.3&_=1700650384917 (“default-src”). browserLink:21:85934

Content-Security-Policy: The page’s settings blocked the loading of a resource at http://localhost:50718/51c2056085fd4c939faa2de8d70c75d7/browserLinkSignalR/negotiate?requestUrl=https%3A%2F%2Flocalhost%3A7192%2F&browserName=&userAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A120.0)+Gecko%2F20100101+Firefox%2F120.0&browserIdKey=window.browserLink.initializationData.browserId&browserId=fa74-e36f&clientProtocol=1.3&_=1700650384951 (“default-src”). browserLink:21:85934

Content-Security-Policy: The page’s settings blocked the loading of a resource at wss://localhost:44395/BlazorWASM80TestLocalization/ (“default-src”). aspnetcore-browser-refresh.js:268:24

Content-Security-Policy: The page’s settings blocked the loading of a resource at ws://localhost:50713/BlazorWASM80TestLocalization/ (“default-src”).

Blazor Web App console:

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). content-scripts.js:1:68303

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). localhost:7119:55:12

Content-Security-Policy: The page’s settings blocked the loading of a resource at http://localhost:50770/325b583f9e124ddaaf88b73bf8edbc3b/browserLinkSignalR/negotiate?requestUrl=https%3A%2F%2Flocalhost%3A7119%2F&browserName=&userAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A120.0)+Gecko%2F20100101+Firefox%2F120.0&browserIdKey=window.browserLink.initializationData.browserId&browserId=dbdf-4ffa&clientProtocol=1.3&_=1700650696403 (“default-src”). browserLink:21:85934

Content-Security-Policy: The page’s settings blocked the loading of a resource at http://localhost:50770/325b583f9e124ddaaf88b73bf8edbc3b/browserLinkSignalR/negotiate?requestUrl=https%3A%2F%2Flocalhost%3A7119%2F&browserName=&userAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A120.0)+Gecko%2F20100101+Firefox%2F120.0&browserIdKey=window.browserLink.initializationData.browserId&browserId=b50e-b33a&clientProtocol=1.3&_=1700650696441 (“default-src”). browserLink:21:85934

Content-Security-Policy: The page’s settings blocked the loading of a resource at wss://localhost:44342/BlazorWebApp80EnvironmentTesting/ (“default-src”). aspnetcore-browser-refresh.js:268:24

Content-Security-Policy: The page’s settings blocked the loading of a resource at ws://localhost:50766/BlazorWebApp80EnvironmentTesting/ (“default-src”). aspnetcore-browser-refresh.js:268:24

I think we should throw a 🐶 a 🦴 and explain how devs can avoid CSP errors during development.

One simple approach is with Razor in the App component of a BWA (that would apply to all layouts) is ...

@inject IHostEnvironment Env

<!DOCTYPE html>
<html lang="en">

<head>
    ...
    @if (!Env.IsDevelopment())
    {
        <meta http-equiv="Content-Security-Policy"
              content="base-uri 'self';
                       default-src 'self';
                       img-src data: https:;
                       object-src 'none';
                       script-src 'self';
                       style-src 'self';
                       upgrade-insecure-requests;">
    }
</head>

...

Also, the layout approach works, but it would need to be in all of the app's layouts ...

@inject IHostEnvironment Env

@if (!Env.IsDevelopment())
{
    <HeadContent>
        <meta http-equiv="Content-Security-Policy"
              content="base-uri 'self';
                       default-src 'self';
                       img-src data: https:;
                       object-src 'none';
                       script-src 'self';
                       style-src 'self';
                       upgrade-insecure-requests;">
    </HeadContent>
}

For Blazor WebAssembly apps, it can be done in the app's layouts or the App component with ...

@using Microsoft.AspNetCore.Components.WebAssembly.Hosting
@inject IWebAssemblyHostEnvironment Env

@if (!Env.IsDevelopment())
{
    <HeadContent>
        <meta http-equiv="Content-Security-Policy"
              content="base-uri 'self';
                       default-src 'self';
                       img-src data: https:;
                       object-src 'none';
                       script-src 'self'
                                  'wasm-unsafe-eval';
                       style-src 'self';
                       upgrade-insecure-requests;">
    </HeadContent>
}

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/content-security-policy.md

Document ID

6e0b5c52-90a1-5ca6-bfad-df33a8beae6c

Article author

guardrex
@guardrex guardrex added Source - Docs.ms Docs Customer feedback via GitHub Issue ⌚ Not Triaged labels Nov 22, 2023
@github-project-automation github-project-automation bot moved this to Triage in Blazor.Docs Nov 22, 2023
@guardrex guardrex added Pri1 doc-enhancement 8.0 .NET 8 and removed Source - Docs.ms Docs Customer feedback via GitHub Issue labels Nov 22, 2023
@guardrex guardrex moved this from Triage to 8.0 in Blazor.Docs Nov 22, 2023
@guardrex guardrex mentioned this issue Nov 22, 2023
Closed
@guardrex guardrex changed the title Confirm/update Blazor CSP guidance Update Blazor CSP guidance Nov 22, 2023
@guardrex guardrex moved this from 8.0 to In progress in Blazor.Docs Nov 22, 2023
This was referenced Nov 22, 2023
Merged
Merged
@dotnet dotnet deleted a comment from github-actions bot Nov 22, 2023
@github-project-automation github-project-automation bot moved this from In progress to Done in Blazor.Docs Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guardrex guardrex

Labels
8.0 .NET 8 Blazor doc-enhancement Pri1
Projects
Blazor.Docs
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Apply a CSP in non-Development environments dotnet/AspNetCore.Docs
2 participants
@guardrex @dotnet-bot