Skip to content

Make mono CSP Compliant #59416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
TanayParikh opened this issue Sep 21, 2021 · 9 comments
Closed

Make mono CSP Compliant #59416

TanayParikh opened this issue Sep 21, 2021 · 9 comments
Assignees
@thaystg
Labels
arch-wasm WebAssembly architecture area-Debugger-mono
Milestone
7.0.0

Comments

@TanayParikh
Copy link
Contributor

Whilst investigating improving CSP compliance in Blazor, I found that Blazor WASM requires unsafe-eval due to mono's usage of eval:

runtime/src/mono/wasm/runtime/library_mono.js

Line 745 in 96cb482

const fn_res = eval (fn_eval_str);

This issue is to examine feasibility of removing this dependency on eval so that unsafe-eval is no longer required in the Blazor WASM CSP.

For reference, I found this article to be helpful for understanding CSP peculiarities (eval section).
@TanayParikh TanayParikh added the arch-wasm WebAssembly architecture label Sep 21, 2021
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Sep 21, 2021
@ghost
Copy link

ghost commented Sep 21, 2021

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@ghost
Copy link

ghost commented Sep 21, 2021

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

Issue Details

Whilst investigating improving CSP compliance in Blazor, I found that Blazor WASM requires unsafe-eval due to mono's usage of eval:

runtime/src/mono/wasm/runtime/library_mono.js

Line 745 in 96cb482

const fn_res = eval (fn_eval_str);

This issue is to examine feasibility of removing this dependency on eval so that unsafe-eval is no longer required in the Blazor WASM CSP.

For reference, I found this article to be helpful for understanding CSP peculiarities (eval section).

Author: TanayParikh
Assignees: -
Labels:

arch-wasm
Milestone: -

This was referenced Sep 21, 2021
Merged
Closed
@lambdageek
Copy link
Member

A naive search shows that mono_wasm_call_function_on is used by the debug proxy. So perhaps we can move it to some JS lib that isn't used in released apps?

/cc @thaystg

@ghost
Copy link

ghost commented Sep 21, 2021

Tagging subscribers to this area: @thaystg
See info in area-owners.md if you want to be subscribed.

Issue Details

Whilst investigating improving CSP compliance in Blazor, I found that Blazor WASM requires unsafe-eval due to mono's usage of eval:

runtime/src/mono/wasm/runtime/library_mono.js

Line 745 in 96cb482

const fn_res = eval (fn_eval_str);

This issue is to examine feasibility of removing this dependency on eval so that unsafe-eval is no longer required in the Blazor WASM CSP.

For reference, I found this article to be helpful for understanding CSP peculiarities (eval section).

Author: TanayParikh
Assignees: -
Labels:

arch-wasm, untriaged, area-Debugger-mono
Milestone: -

@lewing
Copy link
Member

lewing commented Sep 21, 2021

A naive search shows that mono_wasm_call_function_on is used by the debug proxy. So perhaps we can move it to some JS lib that isn't used in released apps?

/cc @thaystg

we could actually make the proxy inject the support methods and save some space

@thaystg thaystg self-assigned this Sep 21, 2021
@Ponant
Copy link
Contributor

Ponant commented Sep 22, 2021

@TanayParikh , it is great you out there are working on CSP cleanup.
Regarding the references for reading about CSP, you can find interesting ones here
https://github.com/Ponant/Galebra.Security/tree/master/src/Galebra.Security.Headers.Csp

@lewing lewing added this to the 7.0.0 milestone Sep 22, 2021
@lewing lewing removed the untriaged New issue has not been triaged by the area owner label Sep 22, 2021
@lewing
Copy link
Member

lewing commented Oct 23, 2021

this is gone in main

@lewing lewing closed this as completed Oct 23, 2021
@TanayParikh TanayParikh mentioned this issue Oct 23, 2021
Closed
@TanayParikh
Copy link
Contributor Author

this is gone in main

Assuming this is for 7.0?

@lewing
Copy link
Member

lewing commented Oct 23, 2021

yes

@ghost ghost locked as resolved and limited conversation to collaborators Nov 22, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@thaystg thaystg

Labels
arch-wasm WebAssembly architecture area-Debugger-mono
Projects
None yet
Milestone
7.0.0
Development

No branches or pull requests
5 participants
@lewing @lambdageek @thaystg @TanayParikh @Ponant