Conversation
|
@guardrex While 'unsafe-eval' is no longer required, 'wasm-unsafe-eval' is required instead (because WebAssembly execution is disabled without it). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution. |
|
@MackinnonBuck ... Ok ... I put that on the last commit. ... and then I added that cross-link to it on the next commit. |
|
@MackinnonBuck unsafe-eval is still required due to the blazor js script. I get errors when I test this with the latest preview Did I miss something? .NET 7 it's not working .NET 8 it's not working https://github.com/damienbod/Hostedblazor8Aad builder.AddScriptSrc()
.Self()
.WithHash256("v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=")
//.WasmUnsafeEval(); cannot use in .NET 8 preview, .NET 7
.UnsafeEval(); Greetings Damien |
|
@damienbod ... I recommend posting the rendered |
|
The script hash is probably different. Try that hash from the error and see if it resolves it ... - .WithHash256("v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=")
+ .WithHash256("sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=")(Nevemind ... I remember now that yes, the Either that, or add the hash because this is a different script ... + .WithHash256("sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=") |
|
CSP response headers: Working: Not Working: Error: |
|
When we used to have hashes in the topic (6.0 or earlier), I would update them on release day because they were potentially being churned by the PU all the way up to final release. That wasn't a problem at 7.0 because no hashes were required for the CSP in the base OOB app case. |
|
@guardrex The one which fails uses the 'wasm-unsafe-eval' and the error is about the missing 'unsafe-eval' Maybe this is something new in the .NET 8 Blazor js? |
... but perhaps that's only because it needs the hash for the script that the error mentions. What happens if you use the one from the error message ... builder.AddScriptSrc()
.Self()
.WithHash256("sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=")
.WasmUnsafeEval(); |
|
... and btw ... looks like you aren't on latest ...
Update to Pre4. It might not matter, but there's a lot of churn on a lot of features preview-to-preview 🏃⛏️ 🏃⛏️🏃⛏️. |
|
@guardrex latest version does not start yes, this is probably just a WIP problem and will probably be fixed in the next preview release. I just wanted to mention it so that it's visible. Released version works without problem. I will test with the other hash as well. Greetings Damien |
|
Was doing some testing again and this does not work in .NET 7 either, the 'unsafe-eval' is still required (The headers were disabled when I tested this before) .NET 7 error: |
|
@damienbod The 'unsafe-eval' requirement will still be required for .NET 7 and earlier. Also, please note that the updates enabling improved CSP compliance aren't available in a public preview release yet. You could try installing a nightly build from https://github.com/dotnet/installer to test this new improvement. Thanks! |
3 participants
Fixes #29293
Mackinnon ... I see that Pavel is still working on runtime bits, but it is ok to knock this out for preview coverage now?
It's not easy to see from the diff because it's adding versioned content. The changes here are to ...
Remove the following line ...
Change part of the WASM policy from ...
... to ...
Internal previews