Skip to content

[11.0 P1] Update CSP guidance for inline JS removal #36686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
guardrex wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[11.0 P1] Update CSP guidance for inline JS removal #36686

guardrex wants to merge 3 commits into from

Conversation

@guardrex
Copy link
Collaborator

@guardrex guardrex commented Jan 26, 2026
edited by github-actions bot
Loading

Fixes #36684
Addresses #36448

Wade or Tom ... Just knocking out the hash guidance now that the inline JS will be going away at 11.0.

I agreed (for the most part) with one of Copilot's suggestions and made a change to address it. I didn't agree with the other suggestion.

Internal previews

📄 File 🔗 Preview link
aspnetcore/blazor/security/content-security-policy.md aspnetcore/blazor/security/content-security-policy

@guardrex guardrex self-assigned this Jan 26, 2026
@guardrex guardrex requested a review from Copilot January 26, 2026 14:55
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Content Security Policy (CSP) guidance for Blazor to reflect the removal of inline JavaScript in the NavMenu component starting with .NET 11.0. The change eliminates the need for the unsafe-hashes directive and specific hash values that were previously required for the navigation toggler functionality.

Changes:

  • Updated generic guidance text for client-side Blazor apps to remove the specific NavMenu example while keeping general unsafe-hashes guidance
  • Added new CSP policy example for .NET 11.0+ that excludes the unsafe-hashes directive and hash value
  • Adjusted moniker ranges to properly version the CSP examples between .NET 8.0-10.0 and .NET 11.0+

@guardrex guardrex mentioned this pull request Jan 26, 2026
Open
@guardrex guardrex removed the request for review from wadepickett January 26, 2026 17:01
@guardrex guardrex added the 11.0 .NET 11 label Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tdykstra tdykstra tdykstra approved these changes

Assignees

@guardrex guardrex

Labels

11.0 .NET 11

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[11.0 P1] Remove the unsafe-hashes entry for the NavMenu component inline JS

3 participants

@guardrex @tdykstra