Skip to content

.NET 10 importmap - incompatible with secure Content Security Policy (CSP) #121885

New issue
New issue
Open
Open
.NET 10 importmap - incompatible with secure Content Security Policy (CSP)#121885
Labels
area-System.Runtime.InteropServices.JavaScriptos-browserBrowser variant of arch-wasmuntriagedNew issue has not been triaged by the area owner
@rodolfograve

Description

@rodolfograve
rodolfograve
opened on Nov 21, 2025

Description

This is an existing, mature project, using .NET 9 that has just been migrated to .NET 10. After struggling with #121849 I'm now facing an issue with the new importmap.

Our Content Security Policy is strict, as recommended in many security best practices as protection against CSS and clickjacking:

"object-src 'none'; upgrade-insecure-requests; img-src https: data:; form-action 'none'; font-src 'self'; base-uri 'self'; frame-ancestors 'none'; script-src 'self' https://static.cloudflareinsights.com/ 'unsafe-eval'"

Notice that unsafe-eval is considered a weakness but seems to be required by the Blazor Mono runtime, with #68374 unresolved. I haven't been able to find any other mention of Content Security Policy in this GitHub project (or elsewhere).

However, it now looks like the new importmap used for fingerprinted files requires an even weaker 'unsafe-inline', which is considered the weakest of all the options. We get this error from the browser:

Executing inline script violates the following Content Security Policy directive 'script-src 'self' https://static.cloudflareinsights.com/ 'unsafe-eval''. Either the 'unsafe-inline' keyword, a hash ('sha256-4K2dkMg8Na5SjWlB6DRBmGhpIg6nIQjasnFdQLS8WRc='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.

and more importantly, any attempt to download fingerprinted files, e.g., dotnet.js fails because the fingerprint is not included in the URL (as expected when the importmap is not loaded).

Are there any options to generate this importmap as an independent .json file instead of embedding it into the index.html page? Or any other alternative solution that doesn't required weakening our Content Security Policy even more?

Reproduction Steps

Include a secure CSP header when serving Blazor WASM assets.

Expected behavior

The importmap is compatible with secure CSP headers and the runtime is loaded.

Actual behavior

Browser error that prevents the importmap and the runtime from being loaded:

Executing inline script violates the following Content Security Policy directive 'script-src 'self' https://static.cloudflareinsights.com/ 'unsafe-eval''. Either the 'unsafe-inline' keyword, a hash ('sha256-4K2dkMg8Na5SjWlB6DRBmGhpIg6nIQjasnFdQLS8WRc='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.

Regression?

Yes? This feature didn't exist in .NET 9 but our system used to work in .NET 9.

Known Workarounds

None

Configuration

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-System.Runtime.InteropServices.JavaScriptos-browserBrowser variant of arch-wasmuntriagedNew issue has not been triaged by the area owner

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions