Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unsafe-eval CSP Requirement for Blazor WASM #37787

Closed
TanayParikh opened this issue Oct 23, 2021 · 19 comments · Fixed by #48182
Closed

Remove unsafe-eval CSP Requirement for Blazor WASM #37787

TanayParikh opened this issue Oct 23, 2021 · 19 comments · Fixed by #48182
Assignees
Labels
area-blazor Includes: Blazor, Razor Components blocked The work on this issue is blocked due to some dependency enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly Priority:1 Work that is critical for the release, but we could probably ship without task
Milestone

Comments

@TanayParikh
Copy link
Contributor

Runtime made the necessary changes that unsafe-eval may no longer be required for Blazor WASM: dotnet/runtime#59416

Note, there's also a Chrome bug which may come into play here (WebAssembly/content-security-policy#7)

This issue tracks validating this fix, and the associated documentation updates.

Original CSP Issue: #34428

@TanayParikh TanayParikh added investigate area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly labels Oct 23, 2021
@TanayParikh TanayParikh added this to the .NET 7 Planning milestone Oct 23, 2021
@TanayParikh TanayParikh added the Priority:2 Work that is important, but not critical for the release label Oct 23, 2021
@mkArtakMSFT mkArtakMSFT added cost: S Will take up to 2 days to complete cost: XS Will take up to half a day to complete Validation This issue is used to track validation efforts triaged and removed cost: S Will take up to 2 days to complete labels Oct 28, 2021
@TanayParikh
Copy link
Contributor Author

Unfortunately this is still an issue due to the Chrome bug:

Screen Shot 2021-12-08 at 12 30 18 PM

This resource helps detect if the chrome issue is resolved (WASM related, not blazor specific): https://s3.amazonaws.com/webassembly-chrome-csp/csp_test.html

Others are having the same issue as well: element-hq/element-web#12262

@TanayParikh TanayParikh added blocked The work on this issue is blocked due to some dependency task and removed investigate triaged Validation This issue is used to track validation efforts cost: XS Will take up to half a day to complete Priority:2 Work that is important, but not critical for the release labels Dec 8, 2021
@TanayParikh TanayParikh removed their assignment Dec 8, 2021
@TanayParikh TanayParikh changed the title Validate CSP for Blazor WASM Remove unsafe-eval CSP Requirement for Blazor WASM Dec 8, 2021
@TanayParikh TanayParikh modified the milestones: .NET 7 Planning, Backlog Dec 8, 2021
@ghost
Copy link

ghost commented Dec 8, 2021

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

@mingyaulee
Copy link

@TanayParikh based on my testing with dotnet.7.0.0-preview.3.22175.4 the runtime still requires unsafe-eval, mainly due to the evaluation of string in the following line:

https://github.com/dotnet/runtime/blob/14584c60b41ddc361442539f78bc3d54d3ab3ea2/src/mono/wasm/runtime/method-binding.ts#L113

The original issue was closed and locked so I am hoping you might be able to reopen it.

@TanayParikh
Copy link
Contributor Author

original issue

Can you please provide a link.

@mingyaulee
Copy link

I was referring to the issue that you have created and linked to from here.
dotnet/runtime#59416 Make mono CSP Compliant

@mkArtakMSFT mkArtakMSFT added triaged enhancement This issue represents an ask for new feature or an enhancement to an existing one labels Oct 11, 2022
@danielcor
Copy link

Just to show that its not a rare or low-impact issue. This issue is 100% blocking me from using Blazor in new projects. My company has a security requirement on things going into production that disallows us from using unsafe-eval.

@KieranDevvs
Copy link

Just to show that its not a rare or low-impact issue.

I second that.

@ctigrisht
Copy link

ctigrisht commented Apr 7, 2023

we need this fixed asap, cannot realistically use blazor wasm without this.
EDIT: Is this available as part of .net 8 preview?

@andrewrondeau-optirtc
Copy link

I need to point out that this is a very important thing to fix in order for Blazor to be considered mature.

Specifically, "eval()" in Javascript is considered insecure, but Blazor essentially runs via "eval()."

It's quite critical to fix this, in the long-term, for a Blazor-powered site to be considered safe from XSS attacks.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-blazor Includes: Blazor, Razor Components blocked The work on this issue is blocked due to some dependency enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly Priority:1 Work that is critical for the release, but we could probably ship without task
Projects
None yet
Development

Successfully merging a pull request may close this issue.