Open michaelongithub opened 6 days ago
@michaelongithub thanks for contacting us.
Rather than doing this, we would likely move the relevant UI into the templates. I suspect the issues you are having are with the reconnect UI. Is that the case?
Hi javiercn not sure I understand your remark. It is really blazor.server.js that creates sometimes inline styles dynamically at runtime. This seems to be generally known and if one checks the source of the violation it produces in the browsers devtools, it is visible, that it stems from there. If one has the organizational requirement to have a strict CSS CSP, inline styles are not allowed. So there is a conflict. I have no preference, where one can tell the Blazor Server framework to create nonces for the inline css it creates. But as I understand the nature of the situation, the framework itself must do that.
Alternatively: provide guidance and example on how to mitigate this problem and allow Blazor Server apps to adhere to strict CSS CSP without JS hacks or relaxing the CSP Policy.
@michaelongithub we ship that UI within blazor.server.js, nothing precludes us from ejecting it into the template, where you have full control over it, and doesn't have to inline anything.
I'd rather us update blazor.server.js to be compliant with the strictest csp policy rather than add "patches" to pass nonces, that was the only comment.
javiercn: Thanks again for the swift reaction. So does that mean that future versions (starting when ?, or hotfix ?) of blazor.server.js wont create inline styles by themself any longer ?
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
blazor.server.js creates sometimes inline styles dynamically at runtime. This is a violation of strict Css CSP Policies. Workarounds with JS CreateElement and analogous tricks is unsafe itself, because it defeats the purpose of CSP by creating a bypass mechanism and is vulnerable to being overwritten by XSS attacks.
Describe the solution you'd like
The framework itself should provide a possibility (flag,option,...) to create CSP nonces for by the framework generated inline styles.
Additional context
No response