Skip to content

Blazor WebAssembly (.NET 8) fails to initialize under strict CSP without unsafe-eval #62049

Closed
@sequeirall

Description

@sequeirall

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

  1. Context

Product: Blazor WebAssembly (.NET 8.0)

Hosting Environment: Azure Static Web Apps / ASP .NET Core 8.0

Target Browsers: Chrome (latest), Edge (latest), Firefox (latest)

Current Content Security Policy:

Content-Security-Policy:
default-src 'self';
base-uri 'self';
script-src 'self' 'wasm-unsafe-eval', /Sin unsafe-eval/
style-src 'self' 'unsafe-inline';
connect-src 'self' wss:;
img-src 'self' data:;
frame-ancestors 'none';

Se encuentra configurado el AOT

  1. Error
    In the browser console you see:

blazor.web.js?v=2.0.4:1 crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
Unhandled exception rendering component: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-FCEYoMsCWaNC6V9enTg+1w==' 'wasm-unsafe-eval' 'sha256-0nv7KU+Rz+sigb9/5Ryh30SmVtbytt8tS7c4WUZvtrQ='".

Expected Behavior

When the application is served with a Content-Security-Policy that specifies only

script-src 'self';
(no unsafe‐eval), the Blazor WebAssembly runtime should still be able to download, compile (via streaming APIs), and instantiate its .wasm modules, initialize the .NET runtime, and render the UI successfully—without triggering any CSP violations or console errors.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

.net8 8.0.16

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions