Make it easier to secure inline scripting, which is used in all Blazor examples I've seen #59693
Open
1 task done
Labels
area-blazor
Includes: Blazor, Razor Components
Comments
|
Javier/Steve, it would probably be a good idea in relation to @jbaumflek's initial approach to directly address inline JS in the CSP article, probably saying that nonce-source is out of the question and hash-source isn't particularly useful, resulting in a recommendation that devs should generally avoid inline JS-heavy development. I'm playing with language at dotnet/AspNetCore.Docs#34431. See the DIFF starting at line 306 to let me know if that's headed in the right direction. 👀 Also, we're keeping an example of applying a CSP via middleware for server-side apps at ... That's cross-linked in three spots in the CSP article to surface it to readers. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
cc: @guardrex dotnet/AspNetCore.Docs#34425
related: #6001
Please read the doc issue first.
Having followed examples in Learn, etc., I make use of inline scripting all over my app. I didn't know that would be an issue until "too late" and now I find myself having to rework the entire UI to collocate the js (not even sure what that means yet), just to be able to enable meaningful CSP, which is of course required for our corporate policy. Of course some of this is my ignorance, but I sure wish following OWASP was more built-in, not so much as a separate task. I started this with .NET 6 so perhaps there are templates that already have hardening in the forefront, but if not, I think there should be templates with baked in security.
Describe the solution you'd like
a template for blazor server-side enterprise-level security already configured
Additional context
No response
The text was updated successfully, but these errors were encountered: