MapStaticAssets/CSP problem #59486
Labels
area-blazor
Includes: Blazor, Razor Components
✔️ Resolution: Answered
Resolved because the question asked by the original author has been answered.
question
Status: Resolved
Is there an existing issue for this?
Describe the bug
hello,
i know this is not exactly a bug but it severely damages the workflow: i want to use newly introduced
MapStaticAssets
with a CSP header which doesn't allow inline scripts (viascript-src
; enforced by our security team).The
ImportMap
component renders as an inline script but this is blocked by the browser because of CSP header.adding the related SHA value to header solves the issue (for a while:)).
BUT, since everything is immutable with
MapStaticAssets
approach; a simple change causes the static assets to be rebuilt and then the contents of theImportMap
is changed and then the SHA is invalid, i need to update it again.basically (almost) every change in source requires an update for the SHA value of
ImportMap
script.i might be doing something terribly wrong but after having a quick conversation (AspNetCore.Docs/34351) with @guardrex on the docs i think your comment on the issue is important: as i said there is actually no bug but the workflow gets really messy this way. it needs to be addressed either in
MapStaticAssets
/ImportMap
or in the docs (by letting people know how to properly useMapStaticAssets
with a rather restrictive CSP).Expected Behavior
i would love to use
MapStaticAssets
with a CSP that restricts use of inline scripts.Steps To Reproduce
you can follow along with the git history of the repro:
ImportMap
works (c22dda98)ImportMap
is blocked by browser due to CSP header (feda3e4c)ImportMap
works again (f8cee93b)ImportMap
is blocked again due to the content change (19500644)ImportMap
works again (1fbf61c8)Exceptions (if any)
No response
.NET Version
9.0.101
Anything else?
cc: @guardrex dotnet/AspNetCore.Docs#34351
The text was updated successfully, but these errors were encountered: