Remove `unsafe-eval` CSP Requirement for Blazor WASM

Question

Remove `unsafe-eval` CSP Requirement for Blazor WASM

TanayParikh opened this issue 4 years ago · 19 comments

TanayParikh commented 4 years ago

Runtime made the necessary changes that unsafe-eval may no longer be required for Blazor WASM: dotnet/runtime#59416

Note, there's also a Chrome bug which may come into play here (WebAssembly/content-security-policy#7)

This issue tracks validating this fix, and the associated documentation updates.

Original CSP Issue: #34428

Answer 1 · 2021-12-08T20:34:54.000Z

Unfortunately this is still an issue due to the Chrome bug:

This resource helps detect if the chrome issue is resolved (WASM related, not blazor specific): https://s3.amazonaws.com/webassembly-chrome-csp/csp_test.html

Others are having the same issue as well: element-hq/element-web#12262

Answer 2 · 2021-12-08T21:20:51.000Z

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

Answer 3 · 2022-04-22T02:03:18.000Z

@TanayParikh based on my testing with dotnet.7.0.0-preview.3.22175.4 the runtime still requires unsafe-eval, mainly due to the evaluation of string in the following line:

https://github.com/dotnet/runtime/blob/14584c60b41ddc361442539f78bc3d54d3ab3ea2/src/mono/wasm/runtime/method-binding.ts#L113

The original issue was closed and locked so I am hoping you might be able to reopen it.

Answer 4 · 2022-04-22T02:27:03.000Z

original issue

Can you please provide a link.

Answer 5 · 2022-04-22T02:35:30.000Z

I was referring to the issue that you have created and linked to from here.
dotnet/runtime#59416 Make mono CSP Compliant

Answer 6 · 2022-04-22T03:39:48.000Z

Ah so it's over on the runtime repo. Thanks for clarifying. Please open up a new issue with the line you pointed out, on dotnet/runtime, and crosslink dotnet/runtime#59416 and #37787.

Answer 7 · 2022-06-08T11:09:00.000Z

We should re-check if this is still the case. Since this issue was posted, Chromium has added support for a new CSP flag, wasm-unsafe-eval, which is intended for this case. It might now be possible to run without unsafe-eval, by adding wasm-unsafe-eval instead: https://chromestatus.com/feature/5499765773041664

Answer 8 · 2022-06-08T22:46:59.000Z

Unfortunately wasm-unsafe-eval doesn't look to be sufficient in this case:

It's calling out https://github.com/dotnet/runtime/blob/637f8f241146e467d6a603394d63ff716838c0c6/src/mono/wasm/runtime/method-binding.ts#L81-L115 specifically.

cc/ @radical any ideas what may be going wrong here?

Answer 9 · 2022-06-08T22:55:21.000Z

https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md#proposed-policy-behavior

If the wasm-unsafe-eval source keyword is used, and the unsafe-eval keyword is not present, then WebAssembly modules may be compiled and instantiated.

   One advantage of this is that a website can permit WebAssembly modules to be used without also enabling JavaScript's eval keyword.

IIUC, this means that wasm-unsafe-eval will allow WebAssembly.compile, and friends to work, but not the general eval in JS. Do correct me if I'm wrong. So, then the situation is unchanged.

cc @pavelsavara @lewing

Answer 10 · 2022-06-09T15:07:22.000Z

Yes, we need to get rid of eval in the JS code first. Also see dotnet/runtime#68374

Answer 11 · 2022-06-25T21:04:46.000Z

I was looking into this case also. Maybe relevant is recent discussion regarding WASM loading in extensions and v3 manifest at https://bugs.chromium.org/p/chromium/issues/detail?id=1318922 (made this comment also in the previously linked thread, found it first).

Answer 12 · 2022-06-26T14:01:56.000Z

I'm also wanting to use Blazor in a chrome extension but this is blocking me.

Answer 13 · 2022-07-07T01:40:27.000Z

I'm also wanting to use Blazor in a chrome extension but this is blocking me.

Same here.

Answer 14 · 2022-09-06T13:52:46.000Z

Blazor in Net7 is using legacy JavaScript interop, which is not CSP safe. We need to migrate Blazor to use the new JS interop with [JSImportAttribute] to make it CSP friendly.

Answer 15 · 2022-10-11T17:37:03.000Z

Thanks for contacting us.

We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

Answer 16 · 2022-10-26T16:38:43.000Z

Just to show that its not a rare or low-impact issue. This issue is 100% blocking me from using Blazor in new projects. My company has a security requirement on things going into production that disallows us from using unsafe-eval.

Answer 17 · 2022-10-26T17:18:42.000Z

Just to show that its not a rare or low-impact issue.

I second that.

Answer 18 · 2023-04-07T06:54:09.000Z

we need this fixed asap, cannot realistically use blazor wasm without this.
EDIT: Is this available as part of .net 8 preview?

Answer 19 · 2023-05-08T20:09:04.000Z

I need to point out that this is a very important thing to fix in order for Blazor to be considered mature.

Specifically, "eval()" in Javascript is considered insecure, but Blazor essentially runs via "eval()."

It's quite critical to fix this, in the long-term, for a Blazor-powered site to be considered safe from XSS attacks.