Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
No Content Security Policy is compatible with Blazor WASM .Net 5.0 and Chrome 89.0
See original GitHub issueDescribe the bug
I have found with Chrome 89.0 it appears impossible to use a Content Security Policy with Blazor WASM. It appears the way it is invoked via eval violates any possible Chrome 89.0 CSP policy. For my Blazor WASM app Chrome warns if I don’t add wasm-eval Chrome won’t run the WASM code. But if it add wasm-eval and/or wasm-unsafe-eval (in addition to unsafe-eval) Chrome say is will both ignore all those and still won’t run WASM because no wasm-eval 🤣
With script-src 'self' 'wasm-eval' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' the CSP is basically a no-op policy at this point yet it still can’t support WASM.
While this appears to be a Chrome Browser issue, it also appears to be triggered by the way the WASM code is invoked by the loader. More discussion here:
https://github.com/WebAssembly/content-security-policy/issues/7
To Reproduce
Publish a Blazor WASM application with Content Security Policy HTTP header.
Add everything possible to script-src and note that Blazor WASM loader still violates the CSP.
Exceptions (if any)
Further technical details
- ASP.NET Core version 5.0.201
- Include the output of
dotnet --info - The IDE (VS / VS Code/ VS4Mac) you’re running on, and its version: Visual Studio 2019
.NET SDK (reflecting any global.json): Version: 5.0.201 Commit: a09bd5c86c
Runtime Environment: OS Name: ubuntu OS Version: 18.04 OS Platform: Linux RID: ubuntu.18.04-x64 Base Path: /usr/share/dotnet/sdk/5.0.201/
Host (useful for support): Version: 5.0.4 Commit: f27d337295
.NET SDKs installed: 3.1.404 [/usr/share/dotnet/sdk] 5.0.201 [/usr/share/dotnet/sdk]
.NET runtimes installed: Microsoft.AspNetCore.App 3.1.10 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.4 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 3.1.10 [/usr/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.4 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
To install additional .NET runtimes or SDKs: https://aka.ms/dotnet-download
Issue Analytics
- State:
- Created 2 years ago
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks for contacting us. This seems to be a WebAssembly issue on Chrome. It’s tracked at https://github.com/WebAssembly/content-security-policy/issues/7
@coderanger you correct; the error you get in CSP ‘report-only’ mode is bogus - ignore it. The ‘issue’ you get in CSP enforcing mode it also bogus, ignore that too. See https://github.com/WebAssembly/content-security-policy/issues/7 for the full detail and screen shots. The
script-src unsafe-evaldoes work to enable WebAssembly for Chrome same as other browsers, despite what the errors/issues say 😄. Thanks for the 2018 bug reference, that looks like exactly my experience.