Skip to content

Backport Blazor Stop Requiring unsafe-inline in CSP (#36771) #36846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 22, 2021
Merged

Backport Blazor Stop Requiring unsafe-inline in CSP (#36771) #36846

merged 4 commits into from
Sep 22, 2021

Conversation

TanayParikh
Copy link
Contributor

Description

Updates to the Blazor Server reconnection handler such that it uses DOM based APIs so that the unsafe-inline condition is no longer required on the Content Security Policy (CSP). This empowers customers to create stricter CSP controls in their Blazor applications.

Customer Impact

Blazor wasn't CSP compliant, meaning for those who wanted to enable CSP, they needed to add unsafe-inline which diminishes a lot of the benefits of having CSP in the first place.

Regression?

  • Yes
  • No

[If yes, specify the version the behavior has regressed from]

Risk

  • High
  • Medium
  • Low

Actual changes are just to use the DOM APIs to generate the elements, instead of dynamically injecting HTML. This should reduce overall product risk as it's using more generally accepted practices.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

Addresses #34428
Original PR: #36771

@TanayParikh
Blazor Stop Requiring unsafe-inline in CSP (#36771)
e7c72b8 
* Blazor Server Allow Unsafe Inline

For: #34428

* Update MonoPlatform.ts

* Fix DefaultReconnectDisplay.test

* PR Feedback
@TanayParikh TanayParikh requested a review from a team as a code owner September 22, 2021 16:58
@ghost ghost added the area-blazor Includes: Blazor, Razor Components label Sep 22, 2021
@TanayParikh
Copy link
Contributor Author

@Pilchie requesting approval to merge for 6.0

@TanayParikh TanayParikh requested a review from Pilchie September 22, 2021 17:02
@Pilchie
Copy link
Member

Pilchie commented Sep 22, 2021

Approved for .NET 6.0

@TanayParikh
Copy link
Contributor Author

Thanks Kevin.

@dotnet/aspnet-build requesting merge into 6.0

@wtgodbe wtgodbe merged commit 748e56b into release/6.0 Sep 22, 2021
@wtgodbe wtgodbe deleted the taparik/backport2b0e81f2ff branch September 22, 2021 21:06
@ghost ghost added this to the 6.0.0 milestone Sep 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pilchie Pilchie Awaiting requested review from Pilchie

Assignees
No one assigned
Labels
area-blazor Includes: Blazor, Razor Components
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@TanayParikh @Pilchie @wtgodbe