- ABP Framework version: v8.0.4
- UI Type: Blazor Server
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): no
We have to apply certain CSPs (Content Security Headers) for our customer. I have problems with the following policy:
style-src 'self'
For example, the column widths are no longer set correctly in the DataGrid and, more importantly, the modal components are no longer displayed.
The policy looks like this:
options.UseContentSecurityPolicyHeader = true;
options.ContentSecurityPolicyValue = "base-uri 'self'; default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'";
With style-src 'self' 'unsafe-inline' it would work... but is not allowed.
Need a solution as soon as possible... Thank you!
9 Answer(s)
-
0
hi
How can I reproduce this CSP error?
Please share some code and steps.
Thanks.
-
0
- Generate Blazor Server project with ABP Suite template (I have version 8.0.4)
- Add the following method in the BlazorModule:
private void ConfigureSecurityHeaders() { Configure<AbpSecurityHeadersOptions>(options => { options.UseContentSecurityPolicyHeader = true; options.ContentSecurityPolicyValue = "base-uri 'self'; default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"; }); }Call it under ConfigureServices:
If necessary, the order in OnApplicationInitialization must be changed so that
app.UseAbpSecurityHeaders()is called afterapp.UseRouting()(see https://github.com/abpframework/abp/issues/19653)
Testing... Open the console in the browser and open a modal dialog, for example.
-
0
Can you share the response headers in the request of the document via the network tab? Example:
-
0
Sure... but it's the same as in the code above ;-)
-
0
Sure... but it's the same as in the code above ;-)
This error will continue because the code contains inline CSS. Different solutions may exist in content security policy. It's not a problem that can be fixed with abp.
-
0
But which part of the code contains inline CSS? The one from ABP? The one from Blazorise? Because I have fixed everything in my code.
Have you been able to reproduce it with the ABP Suite template? What alternatives do I have if the customer insists on a secure CSP?
-
0
Hello,
I understand your concerns, but we can't solve the entire problem ourselves. Even the most popular javascript libraries aren't compatible with CSP. I agree we have some unsupported scripts in the framework, too. And we'll try to make it compatible in time. But it's not enoguth to make it fully compatible. All the javascript dependencies should update themselves to be compatible with your style-src CSP case.
We'll work on our side, but for third party libraries; I suggest you to create issues on their own github repositories. It seems you're working on a Blazor project, I'll check if we can do something for Blazorise. But I can't say something clear about rest of the dependencies, Thanks for your understanding
-
0
I understand the problem... In my case, it's mainly about the modal control, which doesn't work. If at least that would work, I would be happy. I could live with the rest of the error messages. But without the modal control, of course the whole admin area doesn't work.
I think the Blazorise controls are the main problem. Can you address the need there as well?
There is already an issue there: https://github.com/Megabit/Blazorise/issues/5460
-
0
yes, this is a problem with Blazorise. We need to wait for blazorise to support it
