No guidance for CSP

[akurone]

[Moving from consideration for Blazor's Static Files (or CSP) article because this applies to any ASP.NET Core app that relies on Map Static Asset routing conventions. See my issue comment below 👇 for more information.]

Description

Hello,

After updating my (WASM) Blazor project to .net9 and switching to map static assets, I have encountered problems with content security policy: due to security requirements of the project I have to send a rather strict policy that only enables safe sources to run on the page. But the I could not find a way to handle the <ImportMap /> part with that CSP: it renders as an inline script tag (which is not allowed by CSP header) but contents of the inline script changes when the related output changes (fine for me but) so it cannot be excluded from CSP with a hash. I could not find any info for CSP on this page (also tried security section in Blazor docs); am I missing something?

Page URL

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/fundamentals/static-files.md

Document ID

3fec6e08-fc99-7a5c-796f-3f2347cad891

Article author

@Rick-Anderson

Related Issues

[guardrex]

Hello @akurone ... Open this for the product unit to take a look at ...

https://github.com/dotnet/aspnetcore/issues

Please add ...

cc: @guardrex https://github.com/dotnet/AspNetCore.Docs/issues/34351

... to the bottom of your opening comment so that I can follow along. I might re-open this for doc work depending on what they say.

[guardrex]

BTW @akurone ... The CSP article link is below in case you didn't see it, but I feel like it isn't going to help with your question because we only cover adding a script-src with a stable hash (or script-src 'unsafe-inline'; to allow them all), so you'll probably need to talk to the product unit about what's going on with your app.

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-9.0

One thing occurred to me that you might be able to control <head> content dynamically to load a dynamic hash of a dynamic script. Still tho, I'm not sure if that would work. I've never personally tried that approach. It's best if you chat with the engineers about what your app needs to do. I'll keep an 👁 on your product unit issue; and if we need to improve the CSP article, I'll re-open this issue to work on it.

[akurone]

thanks @guardrex both for quick and detailed reply; i will make a repro (meanwhile try the head trick you mentioned) first than open the issue there.

happy holidays!

[guardrex]

Sure thing. Yes, I think we would try to cover something about doing this. If you have success with controlling the CSP tag yourself via controlling <head> content, then I'll put up a remark about that in the CSP article, and I'll check with the product unit to make sure that they're happy with what I write. If that approach fails, we'll see what they say on a PU issue and cover it either way based on what they tell you.

Since I'm fairly certain that we do want to cover this subject, I'm going to re-open this issue and place it on hold for right now.