CSP Errors when using libraries

[DreamDelerium]

Hello. I am not sure if I am not implementing something correctly or not, but when I try to add UI libraries, like MudBlazor or Radzen, I get CSP errors similar to this:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ktKK7Zv7htgNiUfk5gyriqVJUMU7emNct5K2m6GIbXs='), or a nonce ('nonce-...') is required to enable inline execution.

I can resolve this by going into the SecurityHeadersDefinitions.cs file and commenting out this line: builder.AddStyleSrc().Self(); but I would assume this introduces security issues? Is there a way to correctly add these types of libraries? Or, is this a known issue? Thanks!

[damienbod]

Hi @DreamDelerium

This is because the libraries have a weak security... The CSP is already not perfect because the self is used, better would be to remove the self and force nonce only.

When using the libraries, you need to be aware that they force you to weaken your security. To allow this, you need to allow the weakest link...

It might be possible to add a nonce or a hash to the MudBlazor or Radzen packages, but better would be if they fixed there libs.

At least you have no tokens in the browser

Greetings Damien

[damienbod]

PS, I plan to revisit CSP and add exceptions for the libs. As a lib creator, supporting strong CSP should be standard.

[DreamDelerium]

That makes sense! Thanks! I had one other question but I will post in another topic. thanks for all of this!