Closed christianzingg closed 3 months ago
Fluxor middlewares can specify their own scripts to include during the initialisation phase. These won't be invoked by the browser if injected as source, so I have to call Eval() to execute the generated scripts.
You should only use the devtools in development. Can you make the unsafe-eval conditional?
With .NET 8 Blazor WebAssembly no longer requires script-src 'unsafe-eval' on CSP (see https://learn.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-8.0#client-side-blazor-apps)
After changing the CSP to the .NET 8 recommendation our blazor app throws an exception because Fluxor.Blazor.Web.ReduxDevTools requires 'unsafe-eval'. Removing Fluxor.Blazor.Web.ReduxDevTools from our project and only using Fluxor.Blazor.Web solved the issue.
It there a reason why 'unsafe-eval' is required for Fluxor.Blazor.Web.ReduxDevTools?
For completeness there is the console exception output: