Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apply a CSP in non-Development environments #31106

Merged
merged 4 commits into from
Nov 28, 2023
Merged

Conversation

guardrex
Copy link
Collaborator

@guardrex guardrex commented Nov 22, 2023

Fixes #31105

Mackinnon ...

  • Our CSP guidance seems ok. We addressed it during an early preview.
  • I wanted to confirm all is well anyway and was reminded that we never had guidance on how to only apply CSPs in non-Development environments. It's always been a PITA 😠 during development just plopping a CSP into <head> content. I add a new section (just picking up with 8.0+, I won't sweat prior releases) that will assist devs with this problem.
  • Section order change: When you look at the DIFF, the first thing that you'll see is the Server-side Blazor apps section, which isn't being added as new content. It's just moving from below the Client-side Blazor apps section to above it. We're generally ordering our server-side coverage above our client-side coverage these days. Scroll down to the new Apply a CSP in non-Development environments section for the real 🍖 part of the PR.

If you want to see all of the Development errors that hit when a CSP is just dropped in and the app is run in the Development environment, they're in the opening comment of the issue at ...

#31105


Internal previews

📄 File 🔗 Preview link
aspnetcore/blazor/security/content-security-policy.md Enforce a Content Security Policy for ASP.NET Core Blazor

@guardrex guardrex self-assigned this Nov 22, 2023
Copy link
Member

@MackinnonBuck MackinnonBuck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a small question!

Comment on lines 319 to 320
* Apply the CSP via the `App` component, which applies the CSP to all layouts of the app.
* Apply the CSP to the app's layout files using the [`<HeadContent>` tag](xref:blazor/components/control-head-content). For complete effectiveness, every app layout file must adopt the approach.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the idea here that approach 1 should be preferred, when possible? The only reason I can think to use approach 2 is if you have a WebAssembly standalone app with a static index.html file whose content can't be determined programmatically.

Copy link
Collaborator Author

@guardrex guardrex Nov 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps, custom combos of external scripts (i.e., different CSPs) should be permitted on a per-layout basis. I felt that since it's a valid approach and might be useful that we should list it ... as you suggest tho, not in the first position.

UPDATE: I fleshed it out on the next commit.

@guardrex guardrex merged commit d5b7749 into main Nov 28, 2023
3 checks passed
@guardrex guardrex deleted the guardrex/blazor-csp branch November 28, 2023 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update Blazor CSP guidance
2 participants