From 011be558b009cfa37c4f6517f9a8cf2eaa980166 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 26 Jan 2026 09:44:50 -0500
Subject: [PATCH 1/3] [11.0 P1] Update CSP guidance for inline JS removal

---
 .../security/content-security-policy.md       | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/aspnetcore/blazor/security/content-security-policy.md b/aspnetcore/blazor/security/content-security-policy.md
index 5d402e701ad7..0ff6765f4f36 100644
--- a/aspnetcore/blazor/security/content-security-policy.md
+++ b/aspnetcore/blazor/security/content-security-policy.md
@@ -51,7 +51,7 @@ The following directives and sources are commonly used for Blazor apps. Add addi
   * Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
   * In a client-side Blazor app:
     * Specify [`wasm-unsafe-eval`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution) to permit the client-side Blazor Mono runtime to function.
-    * Specify any additional hashes to permit your required *non-framework scripts* to load. For example, specify [`unsafe-hashes`](https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_hashes) with a hash of `sha256-qnHnQs7NjQNHHNYv/I9cW+I62HzDJjbnyS/OFzqlix0=` to permit the inline JavaScript for the navigation toggler in the `NavMenu` component.
+    * Specify any additional hashes to permit your required *non-framework scripts* to load with [`unsafe-hashes`](https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_hashes) and script hashes to permit the inline JavaScript to load.
   * In a server-side Blazor app, specify hashes to permit required scripts to load.
 * [`style-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
   * Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
@@ -191,7 +191,25 @@ For more information, see [CSP: frame-ancestors (MDN documentation)](https://dev
 
 The following example is a starting point for further development. At the top of [`<head>` content](xref:blazor/project-structure#location-of-head-and-body-content), apply the directives described in the [*Policy directives*](#policy-directives) section, along with any other directives that your app specification requires.
 
-:::moniker range=">= aspnetcore-8.0"
+:::moniker range=">= aspnetcore-11.0"
+
+For Blazor Web Apps or Blazor Server apps:
+
+```html
+<meta http-equiv="Content-Security-Policy" content="
+    base-uri 'self';
+    default-src 'self';
+    img-src data: https:;
+    object-src 'none';
+    script-src 'self' 'wasm-unsafe-eval';
+    style-src https:;
+    connect-src 'self' http: ws: wss:;
+    upgrade-insecure-requests;" />
+```
+
+Blazor Web Apps have an `ImportMap` component in `<head>` content that renders an inline import map `<script>` tag. To modify the policy to permit the import map to load, see the [Resolving CSP violations with Subresource Integrity (SRI) or a cryptographic nonce](#resolving-csp-violations-with-subresource-integrity-sri-or-a-cryptographic-nonce) section.
+
+:::moniker range=">= aspnetcore-8.0 < aspnetcore-11.0"
 
 For Blazor Web Apps or Blazor Server apps:
 

From aeb13c401f3158b4bdb4e834cc3662f863b68c55 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 26 Jan 2026 09:54:59 -0500
Subject: [PATCH 2/3] Updates

---
 aspnetcore/blazor/security/content-security-policy.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/aspnetcore/blazor/security/content-security-policy.md b/aspnetcore/blazor/security/content-security-policy.md
index 0ff6765f4f36..2b6042ff1457 100644
--- a/aspnetcore/blazor/security/content-security-policy.md
+++ b/aspnetcore/blazor/security/content-security-policy.md
@@ -209,6 +209,8 @@ For Blazor Web Apps or Blazor Server apps:
 
 Blazor Web Apps have an `ImportMap` component in `<head>` content that renders an inline import map `<script>` tag. To modify the policy to permit the import map to load, see the [Resolving CSP violations with Subresource Integrity (SRI) or a cryptographic nonce](#resolving-csp-violations-with-subresource-integrity-sri-or-a-cryptographic-nonce) section.
 
+:::moniker-end
+
 :::moniker range=">= aspnetcore-8.0 < aspnetcore-11.0"
 
 For Blazor Web Apps or Blazor Server apps:

From 22d47ea5efc8b82854c63d22743b649a2c043043 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 26 Jan 2026 10:07:01 -0500
Subject: [PATCH 3/3] Updates

---
 aspnetcore/blazor/security/content-security-policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/blazor/security/content-security-policy.md b/aspnetcore/blazor/security/content-security-policy.md
index 2b6042ff1457..32b8f99f2928 100644
--- a/aspnetcore/blazor/security/content-security-policy.md
+++ b/aspnetcore/blazor/security/content-security-policy.md
@@ -51,7 +51,7 @@ The following directives and sources are commonly used for Blazor apps. Add addi
   * Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
   * In a client-side Blazor app:
     * Specify [`wasm-unsafe-eval`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution) to permit the client-side Blazor Mono runtime to function.
-    * Specify any additional hashes to permit your required *non-framework scripts* to load with [`unsafe-hashes`](https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_hashes) and script hashes to permit the inline JavaScript to load.
+    * Specify any additional hashes with the [`unsafe-hashes`](https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_hashes) source expression to permit your required *non-framework inline scripts* to load.
   * In a server-side Blazor app, specify hashes to permit required scripts to load.
 * [`style-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
   * Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.