Skip to content

[11.0 P1] Update CSP guidance for inline JS removal #36686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
guardrex wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[11.0 P1] Update CSP guidance for inline JS removal #36686

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
011be55
[11.0 P1] Update CSP guidance for inline JS removal
guardrex Jan 26, 2026
aeb13c4
Updates
guardrex Jan 26, 2026
22d47ea
Updates
guardrex Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 22 additions & 2 deletions aspnetcore/blazor/security/content-security-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ The following directives and sources are commonly used for Blazor apps. Add addi
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
* In a client-side Blazor app:
* Specify [`wasm-unsafe-eval`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution) to permit the client-side Blazor Mono runtime to function.
* Specify any additional hashes to permit your required *non-framework scripts* to load. For example, specify [`unsafe-hashes`](https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_hashes) with a hash of `sha256-qnHnQs7NjQNHHNYv/I9cW+I62HzDJjbnyS/OFzqlix0=` to permit the inline JavaScript for the navigation toggler in the `NavMenu` component.
* Specify any additional hashes with the [`unsafe-hashes`](https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src#unsafe_hashes) source expression to permit your required *non-framework inline scripts* to load.
* In a server-side Blazor app, specify hashes to permit required scripts to load.
* [`style-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
Expand Down Expand Up @@ -191,7 +191,27 @@ For more information, see [CSP: frame-ancestors (MDN documentation)](https://dev

The following example is a starting point for further development. At the top of [`<head>` content](xref:blazor/project-structure#location-of-head-and-body-content), apply the directives described in the [*Policy directives*](#policy-directives) section, along with any other directives that your app specification requires.

:::moniker range=">= aspnetcore-8.0"
:::moniker range=">= aspnetcore-11.0"

For Blazor Web Apps or Blazor Server apps:

```html
<meta http-equiv="Content-Security-Policy" content="
base-uri 'self';
default-src 'self';
img-src data: https:;
object-src 'none';
script-src 'self' 'wasm-unsafe-eval';
style-src https:;
connect-src 'self' http: ws: wss:;
upgrade-insecure-requests;" />
```

Blazor Web Apps have an `ImportMap` component in `<head>` content that renders an inline import map `<script>` tag. To modify the policy to permit the import map to load, see the [Resolving CSP violations with Subresource Integrity (SRI) or a cryptographic nonce](#resolving-csp-violations-with-subresource-integrity-sri-or-a-cryptographic-nonce) section.

:::moniker-end

:::moniker range=">= aspnetcore-8.0 < aspnetcore-11.0"

For Blazor Web Apps or Blazor Server apps:

Expand Down