Add remarks on avoiding inline JS (#34431)
Luke Latham
GitHub
parent
beeb05e6a0
commit
393dc8999d
|
|
@ -33,6 +33,8 @@ Load JavaScript (JS) code using any of the following approaches:
|
|||
|
||||
:::moniker-end
|
||||
|
||||
Inline JavaScript isn't recommended for Blazor apps. We recommend using [JS collocation](#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component) combined with [JS modules](#javascript-isolation-in-javascript-modules).
|
||||
|
||||
## Location of `<script>` tags
|
||||
|
||||
:::moniker range=">= aspnetcore-8.0"
|
||||
|
|
|
|||
|
|
@ -31,19 +31,19 @@ Minimally, specify the following directives and sources for Blazor apps. Add add
|
|||
|
||||
:::moniker range=">= aspnetcore-8.0"
|
||||
|
||||
* [base-uri](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [default-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [img-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* [`base-uri`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`default-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`img-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* Specify `data:` to permit loading images from `data:` URLs.
|
||||
* Specify `https:` to permit loading images from HTTPS endpoints.
|
||||
* [object-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [script-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* [`object-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [`script-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* In a client-side Blazor app:
|
||||
* Specify [`wasm-unsafe-eval`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution) to permit the client-side Blazor Mono runtime to function.
|
||||
* Specify any additional hashes to permit your required *non-framework scripts* to load.
|
||||
* In a server-side Blazor app, specify hashes to permit required scripts to load.
|
||||
* [style-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* [`style-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* If the app uses inline styles, specify `unsafe-inline` to allow the use of your inline styles.
|
||||
* [upgrade-insecure-requests](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
|
||||
|
|
@ -52,68 +52,68 @@ Minimally, specify the following directives and sources for Blazor apps. Add add
|
|||
|
||||
:::moniker range=">= aspnetcore-7.0 < aspnetcore-8.0"
|
||||
|
||||
* [base-uri](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [default-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [img-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* [`base-uri`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`default-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`img-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* Specify `data:` to permit loading images from `data:` URLs.
|
||||
* Specify `https:` to permit loading images from HTTPS endpoints.
|
||||
* [object-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [script-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* [`object-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [`script-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* In a client-side Blazor app:
|
||||
* Specify `unsafe-eval` to permit the client-side Blazor Mono runtime to function.
|
||||
* Specify any additional hashes to permit your required *non-framework scripts* to load.
|
||||
* In a server-side Blazor app, specify hashes to permit required scripts to load.
|
||||
* [style-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* [`style-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* If the app uses inline styles, specify `unsafe-inline` to allow the use of your inline styles.
|
||||
* [upgrade-insecure-requests](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
|
||||
* [`upgrade-insecure-requests`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
|
||||
|
||||
:::moniker-end
|
||||
|
||||
:::moniker range=">= aspnetcore-6.0 < aspnetcore-7.0"
|
||||
|
||||
* [base-uri](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [default-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [img-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* [`base-uri`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`default-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`img-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* Specify `data:` to permit loading images from `data:` URLs.
|
||||
* Specify `https:` to permit loading images from HTTPS endpoints.
|
||||
* [object-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [script-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* [`object-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [`script-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* Specify the `https://stackpath.bootstrapcdn.com/` host source for Bootstrap scripts.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* In a client-side Blazor app:
|
||||
* Specify `unsafe-eval` to permit the client-side Blazor Mono runtime to function.
|
||||
* Specify any additional hashes to permit your required *non-framework scripts* to load.
|
||||
* In a server-side Blazor app, specify hashes to permit required scripts to load.
|
||||
* [style-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* [`style-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* Specify the `https://stackpath.bootstrapcdn.com/` host source for Bootstrap stylesheets.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* Specify `unsafe-inline` to allow the use of inline styles.
|
||||
* [upgrade-insecure-requests](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
|
||||
* [`upgrade-insecure-requests`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
|
||||
|
||||
:::moniker-end
|
||||
|
||||
:::moniker range="< aspnetcore-6.0"
|
||||
|
||||
* [base-uri](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [default-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [img-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* [`base-uri`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri): Restricts the URLs for a page's `<base>` tag. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`default-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/default-src): Indicates a fallback for source directives that aren't explicitly specified by the policy. Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* [`img-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/img-src): Indicates valid sources for images.
|
||||
* Specify `data:` to permit loading images from `data:` URLs.
|
||||
* Specify `https:` to permit loading images from HTTPS endpoints.
|
||||
* [object-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [script-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* [`object-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/object-src): Indicates valid sources for the `<object>`, `<embed>`, and `<applet>` tags. Specify `none` to prevent all URL sources.
|
||||
* [`script-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src): Indicates valid sources for scripts.
|
||||
* Specify the `https://stackpath.bootstrapcdn.com/` host source for Bootstrap scripts.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* In a client-side Blazor app:
|
||||
* Specify hashes to permit required scripts to load.
|
||||
* Specify `unsafe-eval` to use `eval()` and methods for creating code from strings.
|
||||
* In a server-side Blazor app, specify hashes to permit required scripts to load.
|
||||
* [style-src](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* [`style-src`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/style-src): Indicates valid sources for stylesheets.
|
||||
* Specify the `https://stackpath.bootstrapcdn.com/` host source for Bootstrap stylesheets.
|
||||
* Specify `self` to indicate that the app's origin, including the scheme and port number, is a valid source.
|
||||
* Specify `unsafe-inline` to allow the use of inline styles. The inline declaration is required for the UI for reconnecting the client and server after the initial request. In a future release, inline styling might be removed so that `unsafe-inline` is no longer required.
|
||||
* [upgrade-insecure-requests](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
|
||||
* [`upgrade-insecure-requests`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests): Indicates that content URLs from insecure (HTTP) sources should be acquired securely over HTTPS.
|
||||
|
||||
:::moniker-end
|
||||
|
||||
|
|
@ -199,6 +199,8 @@ Add additional `script-src` and `style-src` hashes as required by the app. Durin
|
|||
|
||||
The particular script associated with the error is displayed in the console next to the error.
|
||||
|
||||
For guidance on applying a CSP to an app in C# code at startup, see <xref:blazor/fundamentals/startup#control-headers-in-c-code>.
|
||||
|
||||
### Client-side Blazor apps
|
||||
|
||||
In the [`<head>` content](xref:blazor/project-structure#location-of-head-and-body-content), apply the directives described in the *Policy directives* section:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
title: Identity model customization in ASP.NET Core
|
||||
author: ajcvickers
|
||||
description: This article describes how to customize the underlying Entity Framework Core data model for ASP.NET Core Identity.
|
||||
ms.author: avickers
|
||||
ms.author: riande
|
||||
ms.date: 10/29/2024
|
||||
uid: security/authentication/customize_identity_model
|
||||
---
|
||||
|
|
|
|||
Loading…
Reference in New Issue