CSP Support

Starting from the bootstrapper 7.0.20, the bootstrapper supports Content Security Policy (CSP) for the web application. Specifically, the bootstrapper is compliant with the unsafe-eval CSP feature.

Enabling CSP support can be done in three ways:

  • Adding the following block in the .csproj:
      	<WasmShellCSPConfiguration>default-src 'self'; script-src 'self' 'wasm-unsafe-eval'</WasmShellCSPConfiguration>
  • Adding the following meta block in the index.html, you have a custom one:
      <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval'">
  • Providing the following header from the server:
      Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'

The Uno.Wasm.Bootstrap package uses WebAssembly, it is required to provide the wasm-unsafe-eval directive in the CSP configuration.

Enabling CSP without unsafe-eval implies that the application will not be able to use Runtime.JSInvoke, and JSImport/JSExport must be used instead.


In order to test, browsers support a report-only mode which logs violations and continues.

To enable this mode, use the Content-Security-Policy-Report-Only header instead of Content-Security-Policy.


Enabling CSP is not compatible with memory profiling and AOT profile generation.