Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove unsafe-eval CSP Requirement for Blazor WASM #37787

Closed
TanayParikh opened this issue Oct 23, 2021 · 19 comments · Fixed by #48182
Closed

Remove unsafe-eval CSP Requirement for Blazor WASM #37787

TanayParikh opened this issue Oct 23, 2021 · 19 comments · Fixed by #48182
Assignees
@MackinnonBuck
Labels
area-blazor Includes: Blazor, Razor Components blocked The work on this issue is blocked due to some dependency enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly Priority:1 Work that is critical for the release, but we could probably ship without task
Milestone
8.0-preview5

Comments

@TanayParikh
Copy link
Contributor

Runtime made the necessary changes that unsafe-eval may no longer be required for Blazor WASM: dotnet/runtime#59416

Note, there's also a Chrome bug which may come into play here (WebAssembly/content-security-policy#7)

This issue tracks validating this fix, and the associated documentation updates.

Original CSP Issue: #34428
@TanayParikh TanayParikh added investigate area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly labels Oct 23, 2021
@TanayParikh TanayParikh added this to the .NET 7 Planning milestone Oct 23, 2021
@TanayParikh TanayParikh added the Priority:2 Work that is important, but not critical for the release label Oct 23, 2021
@mkArtakMSFT mkArtakMSFT added cost: S Will take up to 2 days to complete cost: XS Will take up to half a day to complete Validation This issue is used to track validation efforts triaged and removed cost: S Will take up to 2 days to complete labels Oct 28, 2021
@TanayParikh
Copy link
Contributor Author

Unfortunately this is still an issue due to the Chrome bug:

Screen Shot 2021-12-08 at 12 30 18 PM

This resource helps detect if the chrome issue is resolved (WASM related, not blazor specific): https://s3.amazonaws.com/webassembly-chrome-csp/csp_test.html

Others are having the same issue as well: element-hq/element-web#12262

@TanayParikh TanayParikh added blocked The work on this issue is blocked due to some dependency task and removed investigate triaged Validation This issue is used to track validation efforts cost: XS Will take up to half a day to complete Priority:2 Work that is important, but not critical for the release labels Dec 8, 2021
@TanayParikh TanayParikh removed their assignment Dec 8, 2021
@TanayParikh TanayParikh changed the title Validate CSP for Blazor WASM Remove unsafe-eval CSP Requirement for Blazor WASM Dec 8, 2021
@TanayParikh TanayParikh modified the milestones: .NET 7 Planning, Backlog Dec 8, 2021
@ghost
Copy link

ghost commented Dec 8, 2021

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

@mingyaulee
Copy link

@TanayParikh based on my testing with dotnet.7.0.0-preview.3.22175.4 the runtime still requires unsafe-eval, mainly due to the evaluation of string in the following line:

https://github.com/dotnet/runtime/blob/14584c60b41ddc361442539f78bc3d54d3ab3ea2/src/mono/wasm/runtime/method-binding.ts#L113

The original issue was closed and locked so I am hoping you might be able to reopen it.

@TanayParikh
Copy link
Contributor Author

original issue

Can you please provide a link.

@mingyaulee
Copy link

I was referring to the issue that you have created and linked to from here.
dotnet/runtime#59416 Make mono CSP Compliant

@mingyaulee mingyaulee mentioned this issue Apr 22, 2022
Closed
@mkArtakMSFT mkArtakMSFT added triaged enhancement This issue represents an ask for new feature or an enhancement to an existing one labels Oct 11, 2022
@danielcor
Copy link

Just to show that its not a rare or low-impact issue. This issue is 100% blocking me from using Blazor in new projects. My company has a security requirement on things going into production that disallows us from using unsafe-eval.

@KieranDevvs
Copy link

Just to show that its not a rare or low-impact issue.

I second that.

@TanayParikh TanayParikh mentioned this issue Nov 9, 2022
Open
@mkArtakMSFT mkArtakMSFT added the Priority:1 Work that is critical for the release, but we could probably ship without label Nov 15, 2022
@mkArtakMSFT mkArtakMSFT mentioned this issue Feb 1, 2023
Closed
This was referenced Feb 6, 2023
Merged
Merged
@MackinnonBuck MackinnonBuck mentioned this issue Feb 16, 2023
Merged
@guardrex guardrex mentioned this issue Mar 31, 2023
Closed
@ctigrisht
Copy link

ctigrisht commented Apr 7, 2023
edited
Loading

we need this fixed asap, cannot realistically use blazor wasm without this.
EDIT: Is this available as part of .net 8 preview?

@ScarletKuro ScarletKuro mentioned this issue Apr 24, 2023
Open
2 tasks
@pavelsavara pavelsavara mentioned this issue May 3, 2023
Closed
4 tasks
@andrewrondeau-optirtc
Copy link

I need to point out that this is a very important thing to fix in order for Blazor to be considered mature.

Specifically, "eval()" in Javascript is considered insecure, but Blazor essentially runs via "eval()."

It's quite critical to fix this, in the long-term, for a Blazor-powered site to be considered safe from XSS attacks.

@MackinnonBuck MackinnonBuck mentioned this issue May 11, 2023
Merged
@MackinnonBuck MackinnonBuck self-assigned this May 12, 2023
@pavelsavara pavelsavara mentioned this issue May 12, 2023
Merged
@guardrex guardrex mentioned this issue May 17, 2023
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Jun 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@MackinnonBuck MackinnonBuck

Labels
area-blazor Includes: Blazor, Razor Components blocked The work on this issue is blocked due to some dependency enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly Priority:1 Work that is critical for the release, but we could probably ship without task
Projects
None yet
Milestone
8.0-preview5
Development

Successfully merging a pull request may close this issue.

Remove use of legacy interop preventing CSP compliance in Blazor WebAssembly dotnet/aspnetcore