No guidance for CSP #34351
Comments
dotnetrepoman
bot
added
⌚ Not Triaged
aspnet-core/svc
blazor/subsvc
Source - Docs.ms
|
Hello @akurone ... Open this for the product unit to take a look at ... https://github.com/dotnet/aspnetcore/issues Please add ... ... to the bottom of your opening comment so that I can follow along. I might re-open this for doc work depending on what they say. |
|
BTW @akurone ... The CSP article link is below in case you didn't see it, but I feel like it isn't going to help with your question because we only cover adding a One thing occurred to me that you might be able to control |
|
thanks @guardrex both for quick and detailed reply; i will make a repro (meanwhile try the head trick you mentioned) first than open the issue there. happy holidays! |
|
Sure thing. Yes, I think we would try to cover something about doing this. If you have success with controlling the CSP tag yourself via controlling Since I'm fairly certain that we do want to cover this subject, I'm going to re-open this issue and place it on hold for right now. |
|
hi @guardrex, i opened the issue. i fiddled around with the |
|
Moving from consideration for Blazor's Static Files (or CSP) article to the main doc set Static Files article because this applies to any ASP.NET Core app that relies on Map Static Asset routing conventions with an ImportMap. Javier explains the three approaches to address this scenario on dotnet/aspnetcore#59486 ...
See dotnet/aspnetcore#59486 for a longer description of the scenario that this applies to. |
guardrex
added
fundamentals/subsvc
and removed
Blazor
needs-more-info
blazor/subsvc
labels
|
thanks @guardrex, let me know if i can provide any help. |
|
@Rick-Anderson will take this over. We've split the doc set among us by article and node (folder of articles). Rick maintains this article. He'll be on at some point, and I'm sure if you want to submit a PR to address this that he'd be happy to have it. You'd just need to work out with him where in the article (or in a different article) the guidance should be placed. |
[Moving from consideration for Blazor's Static Files (or CSP) article because this applies to any ASP.NET Core app that relies on Map Static Asset routing conventions. See my issue comment below 👇 for more information.]
Description
Hello,
After updating my (WASM) Blazor project to .net9 and switching to map static assets, I have encountered problems with content security policy: due to security requirements of the project I have to send a rather strict policy that only enables safe sources to run on the page. But the I could not find a way to handle the
<ImportMap />part with that CSP: it renders as an inline script tag (which is not allowed by CSP header) but contents of the inline script changes when the related output changes (fine for me but) so it cannot be excluded from CSP with a hash. I could not find any info for CSP on this page (also tried security section in Blazor docs); am I missing something?Page URL
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-9.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/fundamentals/static-files.md
Document ID
3fec6e08-fc99-7a5c-796f-3f2347cad891
Article author
@Rick-Anderson
Related Issues
The text was updated successfully, but these errors were encountered: