Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
- Context
Product: Blazor WebAssembly (.NET 8.0)
Hosting Environment: Azure Static Web Apps / ASP .NET Core 8.0
Target Browsers: Chrome (latest), Edge (latest), Firefox (latest)
Current Content Security Policy:
Content-Security-Policy:
default-src 'self';
base-uri 'self';
script-src 'self' 'wasm-unsafe-eval', /Sin unsafe-eval/
style-src 'self' 'unsafe-inline';
connect-src 'self' wss:;
img-src 'self' data:;
frame-ancestors 'none';
Se encuentra configurado el AOT
- Error
In the browser console you see:
blazor.web.js?v=2.0.4:1 crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
Unhandled exception rendering component: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-FCEYoMsCWaNC6V9enTg+1w==' 'wasm-unsafe-eval' 'sha256-0nv7KU+Rz+sigb9/5Ryh30SmVtbytt8tS7c4WUZvtrQ='".
Expected Behavior
When the application is served with a Content-Security-Policy that specifies only
script-src 'self';
(no unsafe‐eval), the Blazor WebAssembly runtime should still be able to download, compile (via streaming APIs), and instantiate its .wasm modules, initialize the .NET runtime, and render the UI successfully—without triggering any CSP violations or console errors.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
.net8 8.0.16
Anything else?
No response