1.8 KiB
| uid |
|---|
| Uno.Wasm.Bootstrap.Security |
Security
CSP Support
Starting from the bootstrapper 7.0.20, the bootstrapper supports Content Security Policy (CSP) for the web application. Specifically, the bootstrapper is compliant with the unsafe-eval CSP feature.
Enabling CSP support can be done in three ways:
- Adding the following block in the
.csproj:<PropertyGroup> <WasmShellCSPConfiguration>default-src 'self'; script-src 'self' 'wasm-unsafe-eval'</WasmShellCSPConfiguration> </PropertyGroup> - Adding the following meta block in the index.html, you have a custom one:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval'"> - Providing the following header from the server:
Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'
[!IMPORTANT] The Uno.Wasm.Bootstrap package uses WebAssembly, it is required to provide the
wasm-unsafe-evaldirective in the CSP configuration.
Enabling CSP without unsafe-eval implies that the application will not be able to use Runtime.JSInvoke, and JSImport/JSExport must be used instead.
Validation
In order to test, browsers support a report-only mode which logs violations and continues.
To enable this mode, use the Content-Security-Policy-Report-Only header instead of Content-Security-Policy.
Limitations
Enabling CSP is not compatible with memory profiling and AOT profile generation.