Reputation: 329
How to disable Content-Security-Policy my .net wasm app
I have .net 7 blazor wasm application (client + server) I constantly see errors in my web browser like this : 
Because of these issues, I probably can't debug my client side application from Visual Studio. I'm trying to disable CSP or at least relax the restrictions a little if debug mode. But I can't!
I've added this in my index.html to allow everything :
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; img-src * data:; connect-src *;">
And this in server side (program.cs) to ensure that my client settings are not overriding.
var builder = WebApplication.CreateBuilder(args);
var connectionString = builder.Configuration.GetConnectionString("ApplicationDbContextConnectionPRD")
?? throw new InvalidOperationException("Connection string 'ApplicationDbContextConnection' not found.");
#if DEBUG
connectionString = builder.Configuration.GetConnectionString("ApplicationDbContextConnectionDEV")
?? throw new InvalidOperationException("Connection string 'ApplicationDbContextConnection' not found.");
#endif
builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString));
builder.Services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddRoles<IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>();
builder.Services.AddIdentityServer()
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>();
builder.Services.AddAuthentication()
.AddIdentityServerJwt();
builder.Services.AddControllersWithViews();
builder.Services.AddRazorPages();
builder.Services.AddSingleton<ServerHub>();
builder.Services.AddSignalR();
builder.Services.AddCors(options =>
{
options.AddPolicy(name: "cors",
policy =>
{
policy.AllowAnyOrigin();
policy.AllowAnyMethod();
policy.AllowAnyHeader().WithExposedHeaders("*");
});
});
builder.Services.AddHttpClient();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseWebAssemblyDebugging();
}
else
{
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseBlazorFrameworkFiles();
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
app.MapControllers();
app.MapHub<BlazorWasmApp.Server.Hubs.ServerHub>(BlazorWasmApp.Server.Hubs.ServerHub.HubUrl);
app.MapFallbackToFile("index.html");
app.Use(async (context, next) =>
{
context.Response.Headers.Remove("Content-Security-Policy");
await next.Invoke();
});
app.Run();
But i still have same error.
Upvotes: -1
Views: 783
Answers (1)
Reputation: 3475
Content needs to pass all Content Security Policies. Adding another policy can only make the total policy stricter. You need to identify where the original policy is set, try searching for elements from it that you can see in the response header. Then you need to modify it or remove it for development.
Upvotes: 0
Related Questions
- How do I turn a C# object into a JSON string in .NET?
- How to escape braces (curly brackets) in a format string in .NET
- How can I get the application's path in a .NET console application?
- Content Security Policy "data" not working for base64 Images in Chrome 28
- Refused to load the script because it violates the following Content Security Policy directive
- How does Content Security Policy (CSP) work?
- How do I get the current username in .NET using C#?
- How to enable assembly bind failure logging (Fusion) in .NET
- How do I force my .NET application to run as administrator?
- Call to function() blocked by CSP even after adding 'unsafe-eval'