No guidance for CSP
akurone opened this issue ยท 8 comments
[Moving from consideration for Blazor's Static Files (or CSP) article because this applies to any ASP.NET Core app that relies on Map Static Asset routing conventions. See my issue comment below ๐ for more information.]
Description
Hello,
After updating my (WASM) Blazor project to .net9 and switching to map static assets, I have encountered problems with content security policy: due to security requirements of the project I have to send a rather strict policy that only enables safe sources to run on the page. But the I could not find a way to handle the <ImportMap /> part with that CSP: it renders as an inline script tag (which is not allowed by CSP header) but contents of the inline script changes when the related output changes (fine for me but) so it cannot be excluded from CSP with a hash. I could not find any info for CSP on this page (also tried security section in Blazor docs); am I missing something?
Page URL
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-9.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/fundamentals/static-files.md
Document ID
3fec6e08-fc99-7a5c-796f-3f2347cad891
Article author
Hello @akurone ... Open this for the product unit to take a look at ...
https://github.com/dotnet/aspnetcore/issues
Please add ...
cc: @guardrex https://github.com/dotnet/AspNetCore.Docs/issues/34351
... to the bottom of your opening comment so that I can follow along. I might re-open this for doc work depending on what they say.
BTW @akurone ... The CSP article link is below in case you didn't see it, but I feel like it isn't going to help with your question because we only cover adding a script-src with a stable hash (or script-src 'unsafe-inline'; to allow them all), so you'll probably need to talk to the product unit about what's going on with your app.
One thing occurred to me that you might be able to control <head> content dynamically to load a dynamic hash of a dynamic script. Still tho, I'm not sure if that would work. I've never personally tried that approach. It's best if you chat with the engineers about what your app needs to do. I'll keep an ๐ on your product unit issue; and if we need to improve the CSP article, I'll re-open this issue to work on it.
thanks @guardrex both for quick and detailed reply; i will make a repro (meanwhile try the head trick you mentioned) first than open the issue there.
happy holidays!
Sure thing. Yes, I think we would try to cover something about doing this. If you have success with controlling the CSP tag yourself via controlling <head> content, then I'll put up a remark about that in the CSP article, and I'll check with the product unit to make sure that they're happy with what I write. If that approach fails, we'll see what they say on a PU issue and cover it either way based on what they tell you.
Since I'm fairly certain that we do want to cover this subject, I'm going to re-open this issue and place it on hold for right now.
hi @guardrex, i opened the issue. i fiddled around with the <head> but it was going to be very hacky so didn't chase it.
Moving from consideration for Blazor's Static Files (or CSP) article to the main doc set Static Files article because this applies to any ASP.NET Core app that relies on Map Static Asset routing conventions with an ImportMap.
Javier explains the three approaches to address this scenario on dotnet/aspnetcore#59486 ...
There are a few things you can do
- Use a nonce on the script tag.
- Grab the ImportMap from
httpContext.GetEndpoint().Metadata.GetOrderedMetadata<ImportMap>()and compute the integrity from the string representation"sha256-{Convert.ToBase64String(Sha256.HashData(importMap.ToString())}"- Avoid using the importmap at all (just here for completeness, ideally the second option is the best)
See dotnet/aspnetcore#59486 for a longer description of the scenario that this applies to.
@Rick-Anderson will take this over. We've split the doc set among us by article and node (folder of articles). Rick maintains this article. He'll be on at some point, and I'm sure if you want to submit a PR to address this that he'd be happy to have it. You'd just need to work out with him where in the article (or in a different article) the guidance should be placed.