search

jsakamoto / Toolbelt.Blazor.HotKeys2

This is a class library that provides configuration-centric keyboard shortcuts for your Blazor apps.
https://jsakamoto.github.io/Toolbelt.Blazor.HotKeys2/
Mozilla Public License 2.0
102 stars 7 forks source link

Using HotKeys2 with CSP header in place #11

Closed martinstoeckli closed 1 year ago

martinstoeckli commented 1 year ago

In a Blazor-hybrid project of mine, a content-security-policy is in place, to prevent loading of external JS scripts. To get it running, I had to add data: to the script-src, because the library generates an inline script with the data: prefix.

<meta http-equiv="content-security-policy" content="base-uri 'self'; default-src 'self'; script-src 'self' data:; style-src 'self' 'unsafe-inline'; img-src 'self' data:" />

Maybe this could be mentioned in the documentation, in any case I thought it would be helpful for others to publish it in an issue. Thanks a lot for your great work!

jsakamoto commented 1 year ago

@martinstoeckli Thank you for your feedback! After I was considered, I removed the inline "data:" protocol JavaScript module importing. Instead, added another dependency to the "Toolbelt.Blazor.GetProperty.Script" NuGet package that provides a tiny global JavaScript function to retrieve property values under the window object. I released the v.2.0 Preview 1 of this package.

This latest package allows you to make the "script-src" content security policy only "self".

Se also: https://github.com/jsakamoto/Toolbelt.Blazor.HotKeys2/commit/d2923c6d68e2c5d09b38f63784dff160833fd74d#diff-1a377815c21ac53615fda1d5cef7f9a337d9564f6198f6aaf9782f68015ed511R15

Would you like to try and evaluate it? Again, thank you for your feedback and contributions!

martinstoeckli commented 1 year ago

Works like a charm! Thank you for considering this improvement, which makes it easier to build safe apps.