Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MapStaticAssets/CSP problem #59486

Closed
1 task done
akurone opened this issue Dec 14, 2024 · 3 comments
Closed
1 task done

MapStaticAssets/CSP problem #59486

akurone opened this issue Dec 14, 2024 · 3 comments
Labels
area-blazor Includes: Blazor, Razor Components ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. question Status: Resolved

Comments

@akurone
Copy link

akurone commented Dec 14, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

hello,
i know this is not exactly a bug but it severely damages the workflow: i want to use newly introduced MapStaticAssets with a CSP header which doesn't allow inline scripts (via script-src; enforced by our security team).

The ImportMap component renders as an inline script but this is blocked by the browser because of CSP header.
adding the related SHA value to header solves the issue (for a while:)).

BUT, since everything is immutable with MapStaticAssets approach; a simple change causes the static assets to be rebuilt and then the contents of the ImportMap is changed and then the SHA is invalid, i need to update it again.

basically (almost) every change in source requires an update for the SHA value of ImportMap script.

i might be doing something terribly wrong but after having a quick conversation (AspNetCore.Docs/34351) with @guardrex on the docs i think your comment on the issue is important: as i said there is actually no bug but the workflow gets really messy this way. it needs to be addressed either in MapStaticAssets/ImportMap or in the docs (by letting people know how to properly use MapStaticAssets with a rather restrictive CSP).

Expected Behavior

i would love to use MapStaticAssets with a CSP that restricts use of inline scripts.

Steps To Reproduce

you can follow along with the git history of the repro:

  1. start with blazor web app template: ImportMap works (c22dda98)
  2. add described CSP header: ImportMap is blocked by browser due to CSP header (feda3e4c)
  3. include SHA in the CSP: ImportMap works again (f8cee93b)
  4. change something: ImportMap is blocked again due to the content change (19500644)
  5. update the SHA: ImportMap works again (1fbf61c8)

Exceptions (if any)

No response

.NET Version

9.0.101

Anything else?

cc: @guardrex dotnet/AspNetCore.Docs#34351

@dotnet-issue-labeler dotnet-issue-labeler bot added the area-blazor Includes: Blazor, Razor Components label Dec 14, 2024
@javiercn
Copy link
Member

@akurone thanks for contacting us.

There are a few things you can do

  • Use a nonce on the script tag.
  • Grab the ImportMap from httpContext.GetEndpoint().Metadata.GetOrderedMetadata<ImportMap>() and compute the integrity from the string representation "sha256-{Convert.ToBase64String(Sha256.HashData(importMap.ToString())}"
  • Avoid using the importmap at all (just here for completeness, ideally the second option is the best)

@akurone
Copy link
Author

akurone commented Dec 16, 2024

hello @javiercn, thanks for the quick response. 2nd option sounds ok for me but i actually build the CSP at startup. a good sample (better than mine:)) for the issue would be a great value in the docs for the related audience (any dev with security concerns/constraints). that's why i created this issue.

@guardrex if this is ok for you to proceed on dotnet/AspNetCore.Docs#34351; shall i close this one?

@guardrex
Copy link
Contributor

guardrex commented Dec 16, 2024

Yes, let's take it up up the docs issue, and you can close here (or let it close here by itself automatically).

Given that this applies to all types of ASP.NET Core apps, I'll take the Blazor focus off of the docs issue, and set it up for the main doc set's Static Files article.

@akurone akurone closed this as completed Dec 16, 2024
@javiercn javiercn added question ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. labels Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-blazor Includes: Blazor, Razor Components ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. question Status: Resolved
Projects
None yet
Development

No branches or pull requests

3 participants