Skip to content

Make blazor.server.js compatible with strict CSS CSP #58629

New issue
New issue
Closed
Bug
#60376
Closed
Make blazor.server.js compatible with strict CSS CSP#58629
Bug
#60376
Assignees
oroztocil
Labels
Priority:1Work that is critical for the release, but we could probably ship withoutarea-blazorIncludes: Blazor, Razor Components
Milestone
10.0-preview2
@michaelongithub

Description

@michaelongithub
michaelongithub
opened on Oct 25, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

blazor.server.js creates sometimes inline styles dynamically at runtime. This is a violation of strict Css CSP Policies. Workarounds with JS CreateElement and analogous tricks is unsafe itself, because it defeats the purpose of CSP by creating a bypass mechanism and is vulnerable to being overwritten by XSS attacks.

Describe the solution you'd like

The framework itself should provide a possibility (flag,option,...) to create CSP nonces for by the framework generated inline styles.

Additional context

No response

Metadata

Metadata

Assignees

Labels

Priority:1Work that is critical for the release, but we could probably ship withoutarea-blazorIncludes: Blazor, Razor Components

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions