Skip to content

Update CSP for server-side Blazor (Blazor Web App) #35017

New issue
New issue
Closed
#35022
Closed
Update CSP for server-side Blazor (Blazor Web App)#35017
#35022
Assignees
guardrex
Labels
BlazorPri2aspnet-core/svcblazor/subsvcdoc-enhancement
@guardrex

Description

@guardrex
guardrex
opened on Mar 20, 2025

Description

Noticed while working on something else that our server-side Blazor example CSP has several policy violations for a BWA with Interactive Auto/WebAssembly rendering. The policy will need the 'wasm-unsafe-eval', which is currently only specified for standalone Blazor WebAssembly apps.

Possibly the following for a BWA Interactive Auto app ...

<meta http-equiv="Content-Security-Policy"
        content="base-uri 'self';
            default-src 'self';
            img-src data: https:;
            object-src 'none';
            script-src 'self' 'wasm-unsafe-eval';
            style-src 'self';
            connect-src 'self' http://localhost:* wss://localhost:* ws://localhost:*;
            upgrade-insecure-requests;">

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/content-security-policy.md

Document ID

6e0b5c52-90a1-5ca6-bfad-df33a8beae6c

Platform Id

c400bf09-7fec-506a-248f-56cbea0ffda2

Article author

@guardrex

Metadata

  • ID: 88177a7d-c9ff-c245-5629-a462c9258abf
  • PlatformId: c400bf09-7fec-506a-248f-56cbea0ffda2
  • Service: aspnet-core
  • Sub-service: blazor

Related Issues

Metadata

Metadata

Assignees

Labels

BlazorPri2aspnet-core/svcblazor/subsvcdoc-enhancement

Type

No type

Projects

Blazor.Docs

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions