dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.42k stars 10.01k forks source link

Make blazor.server.js compatible with strict CSS CSP #58629

Open michaelongithub opened 6 days ago

michaelongithub commented 6 days ago

Is there an existing issue for this?

Is your feature request related to a problem? Please describe the problem.

blazor.server.js creates sometimes inline styles dynamically at runtime. This is a violation of strict Css CSP Policies. Workarounds with JS CreateElement and analogous tricks is unsafe itself, because it defeats the purpose of CSP by creating a bypass mechanism and is vulnerable to being overwritten by XSS attacks.

Describe the solution you'd like

The framework itself should provide a possibility (flag,option,...) to create CSP nonces for by the framework generated inline styles.

Additional context

No response

javiercn commented 6 days ago

@michaelongithub thanks for contacting us.

Rather than doing this, we would likely move the relevant UI into the templates. I suspect the issues you are having are with the reconnect UI. Is that the case?

michaelongithub commented 6 days ago

Hi javiercn not sure I understand your remark. It is really blazor.server.js that creates sometimes inline styles dynamically at runtime. This seems to be generally known and if one checks the source of the violation it produces in the browsers devtools, it is visible, that it stems from there. If one has the organizational requirement to have a strict CSS CSP, inline styles are not allowed. So there is a conflict. I have no preference, where one can tell the Blazor Server framework to create nonces for the inline css it creates. But as I understand the nature of the situation, the framework itself must do that.

Alternatively: provide guidance and example on how to mitigate this problem and allow Blazor Server apps to adhere to strict CSS CSP without JS hacks or relaxing the CSP Policy.

javiercn commented 5 days ago

@michaelongithub we ship that UI within blazor.server.js, nothing precludes us from ejecting it into the template, where you have full control over it, and doesn't have to inline anything.

I'd rather us update blazor.server.js to be compliant with the strictest csp policy rather than add "patches" to pass nonces, that was the only comment.

michaelongithub commented 5 days ago

javiercn: Thanks again for the swift reaction. So does that mean that future versions (starting when ?, or hotfix ?) of blazor.server.js wont create inline styles by themself any longer ?