You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: aspnetcore/blazor/security/content-security-policy.md
+8-12
Original file line number
Diff line number
Diff line change
@@ -41,12 +41,12 @@ Minimally, specify the following directives and sources for Blazor apps. Add add
41
41
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
42
42
* In a Blazor WebAssembly app:
43
43
* Specify hashes to permit required scripts to load.
44
-
* Specify `unsafe-eval` to use `eval()` and methods for creating code from strings.
44
+
* Specify `unsafe-eval` to permit the Blazor WebAssembly mono runtime to function.
45
45
* In a Blazor Server app, specify hashes to permit required scripts to load.
46
46
*[style-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
47
47
* Specify the `https://stackpath.bootstrapcdn.com/` host source for Bootstrap stylesheets.
48
48
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
49
-
* Specify `unsafe-inline` to allow the use of inline styles. The inline declaration is required for the UI in Blazor Server apps for reconnecting the client and server after the initial request. In a future release, inline styling might be removed so that `unsafe-inline` is no longer required.
49
+
* Specify `unsafe-inline` to allow the use of inline styles.
50
50
*[upgrade-insecure-requests](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
51
51
52
52
The preceding directives are supported by all browsers except Microsoft Internet Explorer.
@@ -80,16 +80,15 @@ In the `<head>` content of the `wwwroot/index.html` host page, apply the directi
Note `sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=` represents the hash of an [inline](https://github.com/dotnet/aspnetcore/blob/57501251222b199597b9ac16888f362a69eb13c1/src/Components/Web.JS/src/Platform/Mono/MonoPlatform.ts#L212) script which is used for Blazor WebAssembly. This may be removed in the future.
91
+
93
92
Add additional `script-src` and `style-src` hashes as required by the app. During development, use an online tool or browser developer tools to have the hashes calculated for you. For example, the following browser tools console error reports the hash for a required script not covered by the policy:
94
93
95
94
> Refused to execute inline script because it violates the following Content Security Policy directive: " ... ". Either the 'unsafe-inline' keyword, a hash ('sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA='), or a nonce ('nonce-...') is required to enable inline execution.
@@ -107,11 +106,8 @@ In the `<head>` content of the `Pages/_Layout.cshtml` host page, apply the direc
0 commit comments