Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No guidance for CSP #34351

Open
akurone opened this issue Dec 12, 2024 · 6 comments
Open

No guidance for CSP #34351

akurone opened this issue Dec 12, 2024 · 6 comments

Comments

@akurone
Copy link

akurone commented Dec 12, 2024

Description

Hello,

After updating my (WASM) Blazor project to .net9 and switching to map static assets, I have encountered problems with content security policy: due to security requirements of the project I have to send a rather strict policy that only enables safe sources to run on the page. But the I could not find a way to handle the <ImportMap /> part with that CSP: it renders as an inline script tag (which is not allowed by CSP header) but contents of the inline script changes when the related output changes (fine for me but) so it cannot be excluded from CSP with a hash. I could not find any info for CSP on this page (also tried security section in Blazor docs); am I missing something?

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/fundamentals/static-files?view=aspnetcore-9.0#import-maps

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/fundamentals/static-files.md

Document ID

25458428-030f-6acb-457e-1b4dfa722043

Article author

@guardrex

Related Issues

Copy link
Contributor

🏂🎁 Happy Holidays! ❄️⛄

Stand-by! ... A green dinosaur 🦖 will be along shortly to assist.

@guardrex
Copy link
Collaborator

Hello @akurone ... Open this for the product unit to take a look at ...

https://github.com/dotnet/aspnetcore/issues

Please add ...

cc: @guardrex https://github.com/dotnet/AspNetCore.Docs/issues/34351

... to the bottom of your opening comment so that I can follow along. I might re-open this for doc work depending on what they say.

@github-project-automation github-project-automation bot moved this from Triage to Done in Blazor.Docs Dec 12, 2024
@guardrex
Copy link
Collaborator

guardrex commented Dec 12, 2024

BTW @akurone ... The CSP article link is below in case you didn't see it, but I feel like it isn't going to help with your question because we only cover adding a script-src with a stable hash (or script-src 'unsafe-inline'; to allow them all), so you'll probably need to talk to the product unit about what's going on with your app.

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-9.0

One thing occurred to me that you might be able to control <head> content dynamically to load a dynamic hash of a dynamic script. Still tho, I'm not sure if that would work. I've never personally tried that approach. It's best if you chat with the engineers about what your app needs to do. I'll keep an 👁 on your product unit issue; and if we need to improve the CSP article, I'll re-open this issue to work on it.

@akurone
Copy link
Author

akurone commented Dec 13, 2024

thanks @guardrex both for quick and detailed reply; i will make a repro (meanwhile try the head trick you mentioned) first than open the issue there.

happy holidays!

@guardrex
Copy link
Collaborator

Sure thing. Yes, I think we would try to cover something about doing this. If you have success with controlling the CSP tag yourself via controlling <head> content, then I'll put up a remark about that in the CSP article, and I'll check with the product unit to make sure that they're happy with what I write. If that approach fails, we'll see what they say on a PU issue and cover it either way based on what they tell you.

Since I'm fairly certain that we do want to cover this subject, I'm going to re-open this issue and place it on hold for right now.

@akurone
Copy link
Author

akurone commented Dec 14, 2024

hi @guardrex, i opened the issue. i fiddled around with the <head> but it was going to be very hacky so didn't chase it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: On Hold
Development

No branches or pull requests

2 participants