FluentCheckbox / InputCheckbox not be able to render correctly with @bind- attributes when unsafe-eval is not part of the Content Security Policy

[aDisplayName]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

This is a copy of microsoft/fluentui-blazor#2783

When "wasm-unsafe-eval" is specified but not "unsafe-eval" in Content Security Policy directive, the rendering of FluentCheckbox / InputCheckbox will fail in client-side interactive rendering

💁 Possible Solution

The workaround is to change from "wasm-unsafe-eval" to "unsafe-eval", but this violates our IT's CSP requirements.

    <meta http-equiv="Content-Security-Policy" 
          content="script-src 'self' 'unsafe-eval';">

🔦 Context

🌍 Your Environment

• Windows 11
• Microsoft Edge Version 129.0.2792.79 (Official build) (64-bit)
• .NET 8.0
• Microsoft.FluentUI.AspNetCore.Components 4.10.0

Expected Behavior

No rendering error should occur when using <FluentCheckbox/> or <InputCheckbox/> while setting CSP to script-src 'self' 'wasm-unsafe-eval';

Steps To Reproduce

I've published an example code https://github.com/aDisplayName/bugsamplecode/tree/main/20241008/FluentRender, which is based .NET 8 Blazor Web App template.

There are three Webassembly page:

• /counter: Using both <FluentCheckbox/> and <InputCheckbox/>
• /counter2: Using only <FluentCheckbox/>
• /counter3: Using only <InputCheckbox/>

Here is the part of the App.razor

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <base href="/" />
    <meta http-equiv="Content-Security-Policy" 
          content="script-src 'self' 'wasm-unsafe-eval';">
    <link rel="stylesheet" href="bootstrap/bootstrap.min.css" />
    <link rel="stylesheet" href="app.css" />
    <link rel="stylesheet" href="FluentRender.styles.css" />
    <link rel="icon" type="image/png" href="favicon.png" />
    <HeadOutlet />
</head>

<body>
    <Routes />
    <script src="_framework/blazor.web.js"></script>
</body>

</html>

And here is one of the razor page using interactivewebassembly rendering

@page "/counter"
@using Microsoft.FluentUI.AspNetCore.Components
@rendermode @(new InteractiveWebAssemblyRenderMode(prerender: false))

<PageTitle>Counter</PageTitle>

<h1>Counter</h1>

<p role="status">Current count: @currentCount</p>

<button class="btn btn-primary" @onclick="IncrementCount">Click me</button>

<FluentCheckbox @bind-Value="_checked">data</FluentCheckbox>
<FluentLabel>@_checked</FluentLabel>
<InputCheckbox @bind-Value="_checked">data</InputCheckbox>
@code {
    private int currentCount = 0;
    private bool _checked = false;

    private void IncrementCount()
    {
        currentCount++;
    }
}

Exceptions (if any)

.NET Version

8.0.400

Anything else?

No response

[javiercn]

@aDisplayName thanks for contacting us.

Do you have issues if you only use the InputCheckBox?

[vnbaaij]

@javiercn yes, there are issues when just using InputCheckbox as well.

[aDisplayName]

Yes, we have the same behavior issue using InputCheckbox as well.

[javiercn]

@pavelsavara @maraf do you know anything about this?

[pavelsavara]

So this is Net8, in which Blazor still uses legacy interop, which is using eval.

Relevant fixes in Net9 are
#52732
dotnet/runtime#96841

Those are not small changes so I don't expect it to be back-ported to Net8.

[javiercn]

@pavelsavara thanks for the insights.

This is then by design, and the improvements are in 9.0.