Skip to content

Content Security Policy blocks script execution in default template. #37992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wbalzer opened this issue Nov 1, 2021 · 6 comments
Closed

Content Security Policy blocks script execution in default template. #37992

wbalzer opened this issue Nov 1, 2021 · 6 comments
Labels
area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly ✔️ Resolution: Duplicate Resolved as a duplicate of another issue investigate Status: Resolved

Comments

@wbalzer
Copy link

wbalzer commented Nov 1, 2021

After creating a new WASM Core Hosted PWA with Individual Accounts, I noticed that after applying Migrations and logging in, I am getting an error…

Refused to load the script 'https://localhost:7139/_framework/aspnetcore-browser-refresh.js' because it violates the following Content Security Policy directive: "script-src 'sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

I am also getting...

blazor.webassembly.js:1 TypeError: Failed to fetch
    at a (blazor.webassembly.js:1)
    at Function.initAsync (blazor.webassembly.js:1)
    at Ct (blazor.webassembly.js:1)
    at blazor.webassembly.js:1
    at blazor.webassembly.js:1

I don’t have any visible errors on the page, but I noticed that JavaScript inside a SCRIPT tag on a page, is also refusing to run because of a Content Security Policy. I’m not sure if this policy is new to the browser, or if the policy is new because of our Corporate Group Policies. I have tried to follow the instructions on:

https://docs.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-6.0

I wasn’t able to figure out how to set the meta tag to prevent the error and allow JS constants to be written inside a SCRIPT tag that may change from a configuration in the launch settings. Any ideas?
@mkArtakMSFT mkArtakMSFT added area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly labels Nov 1, 2021
@TanayParikh
Copy link
Contributor

Hello @wbalzer, thanks for contacting us. The initial error is discussed as a part of #33068.

I don’t have any visible errors on the page, but I noticed that JavaScript inside a SCRIPT tag on a page, is also refusing to run because of a Content Security Policy.

Can you please try:

<meta http-equiv="Content-Security-Policy" 
      content="base-uri 'self';
               block-all-mixed-content;
               default-src 'self';
               img-src data: https:;
               object-src 'none';
               script-src 'self' 
                          'sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=' 
                          'unsafe-eval';
               style-src 'self';
               upgrade-insecure-requests;">

The CSP guidance is to be updated along with the release of 6.0: https://github.com/dotnet/AspNetCore.Docs/pull/23365/files

I’m not sure if this policy is new to the browser, or if the policy is new because of our Corporate Group Policies. I have tried to follow the instructions on:

Could you please try another browser to see if the issue is resolved. Are you able to disable the CSP in the development environment so it doesn't conflict with aspnetcore-browser-refresh.js?

@TanayParikh TanayParikh added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label Nov 1, 2021
@ghost
Copy link

ghost commented Nov 1, 2021

Hi @wbalzer. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

@wbalzer
Copy link
Author

wbalzer commented Nov 3, 2021

After placing the CSP meta tag below the viewport meta tag, I am receiving these errors (Both Chrome and Edge) ...

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'
                          'sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA='
                          'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-9mThMC8NT3dPbcxJOtXiiwevtWTAPorqkXGKqI388cI='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to load the script 'https://localhost:44399/5b3fabb512bc48d5a19c82e1bc34dd88/browserLink' because it violates the following Content Security Policy directive: "script-src 'self'
                          'sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA='
                          'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to connect to 'ws://localhost:56055/BlazorHybrid.Server/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
https://localhost:7139/_framework/aspnetcore-browser-refresh.js

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'
                          'sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA='
                          'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-9mThMC8NT3dPbcxJOtXiiwevtWTAPorqkXGKqI388cI='), or a nonce ('nonce-...') is required to enable inline execution.
https://localhost:7139/authentication/login-callback?code=12F64F53514155ADFC9000479371C7E9800AE64AA979596F6697A8B55060BF36&scope=BlazorHybrid.ServerAPI%20openid%20profile&state=64432e1358e0471ea33d2f2cd15a0afa&session_state=JcXpm83HvM-rTOnGhvqfAdz2GEcvvOyPStziEtxCuw8.561F4A63BBC436BF9CD5C021680A0264&iss=https%3A%2F%2Flocalhost%3A7139

Refused to load the script 'https://localhost:44399/5b3fabb512bc48d5a19c82e1bc34dd88/browserLink' because it violates the following Content Security Policy directive: "script-src 'self'
                          'sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA='
                          'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
https://localhost:7139/authentication/login-callback?code=12F64F53514155ADFC9000479371C7E9800AE64AA979596F6697A8B55060BF36&scope=BlazorHybrid.ServerAPI%20openid%20profile&state=64432e1358e0471ea33d2f2cd15a0afa&session_state=JcXpm83HvM-rTOnGhvqfAdz2GEcvvOyPStziEtxCuw8.561F4A63BBC436BF9CD5C021680A0264&iss=https%3A%2F%2Flocalhost%3A7139

Refused to load the script 'https://localhost:7139/_framework/aspnetcore-browser-refresh.js' because it violates the following Content Security Policy directive: "script-src 'sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
https://localhost:7139/connect/checksession

I also received the Type error as before.

@ghost ghost added Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. and removed Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. labels Nov 3, 2021
@TanayParikh TanayParikh added investigate and removed Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. labels Nov 3, 2021
@TanayParikh
Copy link
Contributor

Thanks @wbalzer, are you able to disable the CSP in the development environment so it doesn't cause these issues?

You'd mentioned previously:

I’m not sure if this policy is new to the browser, or if the policy is new because of our Corporate Group Policies.

Note, to disable the CSP you'll also have the remove the meta tag from my earlier comment.

@mkArtakMSFT
Copy link
Contributor

Thanks for contacting us. This seems to be a dupe of #33068

@mkArtakMSFT mkArtakMSFT added the ✔️ Resolution: Duplicate Resolved as a duplicate of another issue label Nov 4, 2021
@ghost ghost added the Status: Resolved label Nov 4, 2021
@wbalzer
Copy link
Author

wbalzer commented Nov 4, 2021

@TanayParikh I'm using Visual Studio Preview 2022. I don't know if there is a clear way to disable CSP in development.

@ghost ghost locked as resolved and limited conversation to collaborators Dec 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly ✔️ Resolution: Duplicate Resolved as a duplicate of another issue investigate Status: Resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wbalzer @TanayParikh @mkArtakMSFT