Blazor WebAssembly (.NET 8) fails to initialize under strict CSP without unsafe-eval

[sequeirall]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

1. Context

Product: Blazor WebAssembly (.NET 8.0)

Hosting Environment: Azure Static Web Apps / ASP .NET Core 8.0

Target Browsers: Chrome (latest), Edge (latest), Firefox (latest)

Current Content Security Policy:

Content-Security-Policy:
default-src 'self';
base-uri 'self';
script-src 'self' 'wasm-unsafe-eval', /Sin unsafe-eval/
style-src 'self' 'unsafe-inline';
connect-src 'self' wss:;
img-src 'self' data:;
frame-ancestors 'none';

Se encuentra configurado el AOT

2. Error
   In the browser console you see:

blazor.web.js?v=2.0.4:1 crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
Unhandled exception rendering component: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-FCEYoMsCWaNC6V9enTg+1w==' 'wasm-unsafe-eval' 'sha256-0nv7KU+Rz+sigb9/5Ryh30SmVtbytt8tS7c4WUZvtrQ='".

Expected Behavior

When the application is served with a Content-Security-Policy that specifies only

script-src 'self';
(no unsafe‐eval), the Blazor WebAssembly runtime should still be able to download, compile (via streaming APIs), and instantiate its .wasm modules, initialize the .NET runtime, and render the UI successfully—without triggering any CSP violations or console errors.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

.net8 8.0.16

Anything else?

No response

[javiercn]

@sequeirall thanks for contacting us.

I believe this is addressed in later versions of Blazor (9 and onwards). We don't plan to backport this to 8.0 as it requires significant changes that aren't suitable for a patch release.

'wasm-unsafe-eval' is still required as that is a requirement browsers have to allow running webassembly

[javiercn]

If you run into any problem with .NET 9 or 10, let us know and we can take another look.

[BrendanRidenour]

@javiercn Unfortunately, this remains an issue with Blazor 9. Here is a repro project:
https://github.com/BrendanRidenour/Blazor9UnsafeEval

[willdean]

@BrendanRidenour Your .NET9 repro project adds wasm-unsafe-eval to make things work, which is a browser requirement for WASM. But the title of the issue is about unsafe-eval which is less specific and isn't required.

It does look like this works OK in 9.0.

[BrendanRidenour]

@willdean You're right of course, and I'm aware of the difference. But OP's descriptions includes script-src 'self' 'wasm-unsafe-eval', /Sin unsafe-eval/, which is about wasm-unsafe-eval, so that's why I included my repo.

Moving from unsafe-eval to wasm-unsafe-eval is an excellent improvement, as you point out.

[dotnet-policy-service]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.