Skip to content

Backport Blazor Stop Requiring unsafe-inline in CSP (#36771)#36846

Merged
wtgodbe merged 4 commits intorelease/6.0from
taparik/backport2b0e81f2ff
Sep 22, 2021
Merged

Backport Blazor Stop Requiring unsafe-inline in CSP (#36771)#36846
wtgodbe merged 4 commits intorelease/6.0from
taparik/backport2b0e81f2ff

Conversation

@TanayParikh
Copy link
Contributor

@TanayParikh TanayParikh commented Sep 22, 2021

Description

Updates to the Blazor Server reconnection handler such that it uses DOM based APIs so that the unsafe-inline condition is no longer required on the Content Security Policy (CSP). This empowers customers to create stricter CSP controls in their Blazor applications.

Customer Impact

Blazor wasn't CSP compliant, meaning for those who wanted to enable CSP, they needed to add unsafe-inline which diminishes a lot of the benefits of having CSP in the first place.

Regression?

  • Yes
  • No

[If yes, specify the version the behavior has regressed from]

Risk

  • High
  • Medium
  • Low

Actual changes are just to use the DOM APIs to generate the elements, instead of dynamically injecting HTML. This should reduce overall product risk as it's using more generally accepted practices.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

Addresses #34428
Original PR: #36771

@TanayParikh
Blazor Stop Requiring unsafe-inline in CSP (#36771)
e7c72b8 
* Blazor Server Allow Unsafe Inline

For: #34428

* Update MonoPlatform.ts

* Fix DefaultReconnectDisplay.test

* PR Feedback
@TanayParikh TanayParikh requested a review from a team as a code owner September 22, 2021 16:58
@ghost ghost added the area-blazor Includes: Blazor, Razor Components label Sep 22, 2021
@TanayParikh
Copy link
Contributor Author

TanayParikh commented Sep 22, 2021

@Pilchie requesting approval to merge for 6.0

@TanayParikh TanayParikh requested a review from Pilchie September 22, 2021 17:02
@Pilchie
Copy link
Member

Pilchie commented Sep 22, 2021

Approved for .NET 6.0

@TanayParikh
Copy link
Contributor Author

TanayParikh commented Sep 22, 2021

Thanks Kevin.

@dotnet/aspnet-build requesting merge into 6.0

@wtgodbe wtgodbe merged commit 748e56b into release/6.0 Sep 22, 2021
@wtgodbe wtgodbe deleted the taparik/backport2b0e81f2ff branch September 22, 2021 21:06
@ghost ghost added this to the 6.0.0 milestone Sep 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Pilchie Pilchie Awaiting requested review from Pilchie

Assignees

No one assigned

Labels

area-blazor Includes: Blazor, Razor Components

Projects

None yet

Milestone

6.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@TanayParikh @Pilchie @wtgodbe