frustration with inline script

[jbaumflek]

Description

Perhaps this is not a documentation issue, or rather, this document in particular.
As we discovered in pen testing of our Blazor server-side app, we were missing CSP headers. As I put them in, I am running into a BIG problem because, as much of the Blazor sample documentation indicates, I used inline script all over the place. If I have to hash every single place in the app where there is code, I can't imagine the size of the csp header for all the hashes I'll need.
I must be missing something...or there is a fundamental flaw in Blazor/razor re: security and XSS.

[Enter feedback here]

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/content-security-policy?view=aspnetcore-8.0#server-side-blazor-apps

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/content-security-policy.md

Document ID

6e0b5c52-90a1-5ca6-bfad-df33a8beae6c

Article author

@guardrex

Related Issues

[github-actions]

🍂🎁 Happy Holidays! ❄️⛄

This issue has been marked for triage on the Blazor Docs GitHub project, and I'll respond as soon as I return from the holiday vacation after New Year's.

We only work on documentation on this repo. If you need product support, close this issue and seek assistance through one or more of the following support channels:

• Stack Overflow (tagged: 'blazor')
• General ASP.NET Core Slack Team
• Blazor Gitter

If you think that you found a potential bug in the framework or have product feedback, close this issue and open a new issue for the ASP.NET Core product unit at dotnet/aspnetcore issues. Bug reports require a clear explanation of the problem, usually including a minimal repro project placed on GitHub for the product unit engineers to download and run. If you determine with the product unit that it isn't a bug but merely requires documentation, please re-open this docs issue and place a cross-link to your engineering issue discussion.

For problems or feedback on Visual Studio, close this issue and use the Report a Problem or Suggest a Feature processes from within VS, which open internal issues for the VS product unit. For more information, see Visual Studio Feedback.

For problems with Visual Studio Code, close this issue and ask for support on community support forums. For bug reports and product feedback, open an issue on the microsoft/vscode GitHub repo.

💃🕺🥳 Happy New Year! 🎈🎆🍾🥂🎉 See you in 2025!

[guardrex]

Hello @jbaumflek ...

there is a fundamental flaw in Blazor/razor re: security and XSS

No, it's just not the intended best case scenario to make liberal use of inline scripts in Blazor. If you want to do that, I think you'd probably use the hash-source approach. Could you look into that approach and see if it would aid you? Scroll down in this section ...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script

Also, consider not using a lot of inline scripts if you can. See if you can leverage JS collocation instead.

Leave this issue open until I get back to work after New Year's. I'd like to take a closer look at it for possible coverage.

Happy New Year! 🎉 ... I'll get back to you probably next week or the week after.

BTW ... I originally wondered if nonce-source would work and wrote that. I switched my above comment to hash-source because nonce-source requires the nonce to be dynamically generated. Still tho, one might be able to pull that off by adding the CSP via controlling <head> content. All of this is why I say I'd like to take a closer look at the whole subject when I get back from vacation. We can have a quick chat with either Steve or Javier when we all get back. Until then tho, please do consider trying to move away from a lot of inline JS if you can. Blazor doesn't really have a good story for that. Blazor is kind'a really about trying to not program in JS in favor of C#.

[guardrex]

Took a closer look.

<script> tags can't be dynamically modified by Blazor. Therefore, the nonce-source approach is completely ruled out. This should be mentioned in the CSP article.

Now, might a hash-source approach work with controlling <head> content (i.e., dynamically create the hash in a component for the inline script and load it via controlling <head> content)? Yes and no ... mostly NO. If you try to generate the hash dynamically in a component for a specific inline script, it simply doesn't work, probably because the most restrictive policy is used by the browser (i.e., the app-level CSP that you set in the App component). One could dynamically generate the hash for the CSP in the App component, but that's wild hack with far more overhead than it's worth because the inline script isn't even there, as it would be in components loaded by children of the App component (btw tho, the approach does work here in a test that I performed).

I'm going to note that inline JavaScript requires the inline script's hash to appear in the most restrictive policy, which is typically the policy set in the App component. I'll recommend not using inline scripts and focusing more on the JS collocation approach. Then, I'll ask Steve to review the PR.

WRT your asking about Blazor having some kind of feature to better manage CSPs for inline scripts, you can open an issue for the product unit to ask them about it at ...

https://github.com/dotnet/aspnetcore/issues

Please add ...

cc: @guardrex https://github.com/dotnet/AspNetCore.Docs/issues/34425

... to the bottom of your opening comment so that I can follow along and possibly take some of their response into my PR on this. I'll ping u on the PR when it goes up.

I think that they're going to tell you not to rely on a lot of inline scripting with Blazor with a CSP.

[jbaumflek]

@guardrex What do you mean here:
I'm going to note that inline JavaScript requires the inline script's hash to appear in the most restrictive policy, which is typically the policy set in the App component
I think I'm missing something - I am setting the CSP uniformly from the program.cs file.
What would it look like in the App component?

thanks,
Jean

[guardrex]

Just as the article shows, the CSP <meta> tag is in the App component's <head> content.

I wasn't ever given a Program file approach by the product unit. I'll note that on your PU issue for a response from them.

Done! 👍 ... I added a remark to my comment on your PU issue. Let's see if Javier/Steve would like to expand our coverage or if they say that they always want devs to embed a physical <meta> tag in <head> content.

Nevermind! ... I see it now ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/fundamentals/startup?view=aspnetcore-8.0#server-side-and-prerendered-client-side-scenarios

I'll confirm that this is cross-linked or included in the CSP article. Confirmed! It is cross-linked in two places. I'll add one more cross-link to the CSP article's server-side section.