Security

CSP Support

Starting from the bootstrapper 7.0.20, the bootstrapper supports Content Security Policy (CSP) for the web application. Specifically, the bootstrapper is compliant with the unsafe-eval CSP feature.

Enabling CSP support can be done in three ways:

  • Adding the following block in the .csproj:

    <PropertyGroup>
        <WasmShellCSPConfiguration>default-src 'self'; script-src 'self' 'wasm-unsafe-eval'</WasmShellCSPConfiguration>
    </PropertyGroup>
    
  • Adding the following meta block in the index.html, you have a custom one:

    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval'">
    
  • Providing the following header from the server:

    Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'
    
Important

The Uno.Wasm.Bootstrap package uses WebAssembly, it is required to provide the wasm-unsafe-eval directive in the CSP configuration.

Enabling CSP without unsafe-eval implies that the application will not be able to use JavaScript's eval(), and JSImport/JSExport must be used instead.

Validation

In order to test, browsers support a report-only mode which logs violations and continues.

To enable this mode, use the Content-Security-Policy-Report-Only header instead of Content-Security-Policy.

Limitations

Enabling CSP is not compatible with memory profiling and AOT profile generation.