Closed SteveSandersonMS closed 2 years ago
@eerhardt also pointed out that once such headers are enabled, "any 3rd party stuff - like ads, payment, auth, etc - stops working".
Some of the runtime's new/proposed functionality - native crypto
For more information on this functionality - see https://github.com/dotnet/runtime/issues/40074. If SharedArrayBuffer
is not available, the Crypto APIs will fallback to C# implementations. From the blazor-wasm-crypto design doc:
The implementations of our in-box managed algorithms will be faithful to the appropriate standards. However, we will not pursue FIPS 140-2 or any other certification for them. Our in-box managed algorithm implementations are not intended to be free of side channels.
Organizations which require FIPS 140-2 compliant implementations or implementations which make stronger side channel guarantees must ensure that their Blazor client code executes only in browsers which support SharedArrayBuffer and which carry FIPS 140-2 compliant primitives via SubtleCrypto.
Thanks for contacting us.
We're moving this issue to the .NET 7 Planning
milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.
@SteveSandersonMS took a quick look at this yesterday. My findings are as follows:
window.crossOriginIsolated
to determine if the policies are in place.Is this still planned on making it for 7.0-rc1?
@eerhardt This issue was to track "figuring out a plan" (i.e., consider) rather than a confirmed intention to enable this by default.
We've had a bunch of discussions and considered the pros/cons of different approaches. The key points are:
Closing as the "considering" is done and we have a new issue tracking the work item
Some of the runtime's new/proposed functionality - native crypto, and multithreading - rely on
SharedArrayBuffer
. However, as per https://developer.chrome.com/blog/enabling-shared-array-buffer/, Chromium is soon going to start limiting this feature to be available only for cross-origin isolated sites. This will take effect as of Chromium v106.That is, the site would need to be served with these headers:
We can't do anything to enable this by default for standalone Blazor WebAssembly, as that's just a set of static files, and the HTTP headers are controlled by whatever is serving those files. This might lead to some functional problems for people hosting on GitHub pages or other places where the headers can't be controlled.
For hosted-on-ASP.NET Core sites, is there a way we could enable these headers by default? And would it be safe and reasonable to do so?