Update Blazor CSP guidance

[guardrex]

Fixes #24570

Tanay, we can take care of this now.

I version the updates for 7.0 and place that versioned content at the bottom of the topic. This is a little trick that I'm adopting from Rick to avoid breaking links during preview for the current release. The 7.0 content is moved to the top of the topic at 7.0 GA. All 7.0 content added to Blazor docs for 7.0 during preview will appear at the bottom of topics until GA. In spite of all of the cross-link problems with our little versioning hacks 🙈, this approach (that we call "whole-topic versioning" ... full copies of topics for each release version in markdown files) saves us a whole bunch of time and pain (THUS 💰💰💰 !!!).

Because I'm adding a whole copy of the topic for 7.0, you can't make out the changes with GH's help via green-red lines on the diff.

You can use the Internal Review Topic if you want to see it live, but I'll paste the changes here so that you can review/update/approve exactly what's changing ...

For script-src, it's moving to this for >=7.0 ...

• [script-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
  • Specify self to indicate that the app's origin, including the scheme and port number, is a valid source.
  • In a Blazor WebAssembly app:
    • Specify unsafe-eval to permit the Blazor WebAssembly Mono runtime to function.
    • Specify any additional hashes to permit your required non-framework scripts to load.

For style-src, it will say ...

• [style-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
  • Specify self to indicate that the app's origin, including the scheme and port number, is a valid source.
  • If the app uses inline styles, specify unsafe-inline to allow the use of your inline styles.

The example will show the following for Blazor WASM ...

<meta http-equiv="Content-Security-Policy" 
      content="base-uri 'self';
               block-all-mixed-content;
               default-src 'self';
               img-src data: https:;
               object-src 'none';
               script-src 'self' 
                          'unsafe-eval';
               style-src 'self';
               upgrade-insecure-requests;">

And the 6.0 NOTE that says ...

The sha256-v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA= hash represents the [inline](https://github.com/dotnet/aspnetcore/blob/57501251222b199597b9ac16888f362a69eb13c1/src/Components/Web.JS/src/Platform/Mono/MonoPlatform.ts#L212) script that's used for Blazor WebAssembly. This may be removed in the future.

... is getting the 🪓 CHOP 🔪.

🇺🇦

[TanayParikh]

Thanks @guardrex! I appreciate the deltas in the description!

[damienbod]

This looks cool, is it possible to use CSP nonces in .NET 7 with Blazor WASM hosted in ASP.NET Core?

Greetings Damien

[guardrex]

Hello @damienbod ... Open your question for the product unit at ...

https://github.com/dotnet/aspnetcore/issues

Please add ...

cc: @guardrex

... to the question. We don't work on closed issues and PRs. Depending on the answer from the product unit, I'll open a new issue for the CSP topic.

[TanayParikh]

Hey @damienbod; dotnet/aspnetcore#36805 (comment)