Security
CSP Support
Starting from the bootstrapper 7.0.20, the bootstrapper supports Content Security Policy (CSP) for the web application. Specifically, the bootstrapper is compliant with the unsafe-eval
CSP feature.
Enabling CSP support can be done in three ways:
- Adding the following block in the
.csproj
:<PropertyGroup> <WasmShellCSPConfiguration>default-src 'self'; script-src 'self' 'wasm-unsafe-eval'</WasmShellCSPConfiguration> </PropertyGroup>
- Adding the following meta block in the index.html, you have a custom one:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval'">
- Providing the following header from the server:
Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'
Important
The Uno.Wasm.Bootstrap package uses WebAssembly, it is required to provide the wasm-unsafe-eval
directive in the CSP configuration.
Enabling CSP without unsafe-eval
implies that the application will not be able to use Runtime.JSInvoke, and JSImport/JSExport must be used instead.
Validation
In order to test, browsers support a report-only mode which logs violations and continues.
To enable this mode, use the Content-Security-Policy-Report-Only
header instead of Content-Security-Policy
.
Limitations
Enabling CSP is not compatible with memory profiling and AOT profile generation.