Make blazor.server.js compatible with strict CSS CSP

[michaelongithub]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

blazor.server.js creates sometimes inline styles dynamically at runtime. This is a violation of strict Css CSP Policies. Workarounds with JS CreateElement and analogous tricks is unsafe itself, because it defeats the purpose of CSP by creating a bypass mechanism and is vulnerable to being overwritten by XSS attacks.

Describe the solution you'd like

The framework itself should provide a possibility (flag,option,...) to create CSP nonces for by the framework generated inline styles.

Additional context

No response

[javiercn]

@michaelongithub thanks for contacting us.

Rather than doing this, we would likely move the relevant UI into the templates. I suspect the issues you are having are with the reconnect UI. Is that the case?

[michaelongithub]

Hi javiercn
not sure I understand your remark. It is really blazor.server.js that creates sometimes inline styles dynamically at runtime. This seems to be generally known and if one checks the source of the violation it produces in the browsers devtools, it is visible, that it stems from there. If one has the organizational requirement to have a strict CSS CSP, inline styles are not allowed. So there is a conflict. I have no preference, where one can tell the Blazor Server framework to create nonces for the inline css it creates. But as I understand the nature of the situation, the framework itself must do that.

Alternatively: provide guidance and example on how to mitigate this problem and allow Blazor Server apps to adhere to strict CSS CSP without JS hacks or relaxing the CSP Policy.

[javiercn]

@michaelongithub we ship that UI within blazor.server.js, nothing precludes us from ejecting it into the template, where you have full control over it, and doesn't have to inline anything.

I'd rather us update blazor.server.js to be compliant with the strictest csp policy rather than add "patches" to pass nonces, that was the only comment.

[michaelongithub]

javiercn:
Thanks again for the swift reaction.
So does that mean that future versions (starting when ?, or hotfix ?) of blazor.server.js wont create inline styles by themself any longer ?

[javiercn]

@oroztocil when you fix #57453 make sure that this is unblocked in that scenario.

For context, the plan is to address this issue by moving the UI into the project template as part of #57453 at that point the solution for existing apps would be to add the same code that will ship in the template into their projects.

We should have an E2E test validating that we can successfully setup a strict CSP policy.