Refused to load _framework/aspnetcore-browser-refresh.js due to CSP

[fingers10]

I'm working on .net 5 blazor wasm project. I recently updated my Visual Studio 2019 to version 16.10.0. All of a sudden I started getting an error message in my browser (Google Chrome) console as shown below:

Refused to load the script
'https://localhost:44340/_framework/aspnetcore-browser-refresh.js'
because it violates the following Content Security Policy directive:
"script-src 'sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI='".
Note that 'script-src-elem' was not explicitly set, so 'script-src' is
used as a fallback.

I don't have _framework/aspnetcore-browser-refresh.js added in my index.html. Here is the scripts and styles declaration in my index.html

styles declared inside <head> in index.html:

<head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
    <title>App</title>
    <base href="/" />
    <link href="css/site.css" rel="stylesheet" />
    <link href="Web.styles.css" rel="stylesheet">
    <link href="_content/BlazorDateRangePicker/daterangepicker.min.css" rel="stylesheet" />
    <link href="manifest.json" rel="manifest" />
    <link rel="apple-touch-icon" sizes="512x512" href="icon-512.png" />
</head>

scripts in index.html:

<script src="_content/Microsoft.AspNetCore.Components.WebAssembly.Authentication/AuthenticationService.js"></script>
<script src="_framework/blazor.webassembly.js"></script>
<script src="js/Chart.js"></script>
<script src="js/print.js"></script>
<script src="js/pdf.js"></script>
<script src="_content/BlazorDateRangePicker/clickAndPositionHandler.js"></script>
<script src="js/blazorInterop.js"></script>
<script>navigator.serviceWorker.register('service-worker.js');</script>

But when I launch the app via visual studio, from the browser I can see that _framework/aspnetcore-browser-refresh.js gets appended to scripts section in my index.html. Here is the screen print.

This is anything related to my configuration error? or I need to setup CSP in my index.html? Please assist.

Further technical details

• ASP.NET Core version - 5.0.6
• The IDE (VS / VS Code/ VS4Mac) you're running on, and its version - VS 16.0.0

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[mkArtakMSFT]

@pranavkm is this something that you've been looking at?

[donhuvy]

Some one said my error related to this issue: https://stackoverflow.com/a/69252946/3728901

[TanayParikh]

Related to: #34428

@pranavkm is the _framework/aspnetcore-browser-refresh.js script constant or does it dynamically change based on the hot reload? If it's constant, we can just update the documentation to include the script hash as part of the CSP, like we currently do for the WASM Module script injected into the page.

[pranavkm]

The script has a couple of dynamic components which makes this tricky. I think one of the ideas was to
a) Have a way to opt out of the script being auto-injected
b) Add an environment variable that includes metadata so a user can reasonably configure their CSP.

Browserlink in VS which is now injected by default also has this issue, so we kinda have to make sure this scales (or figure out how to roll everything into a single import).

[gbjbaanb]

As mentioned previously (twice!) here's my debug info of what's going on. Looks like the port used for the refresh is dynamically set and thus cannot easily be placed in a CSP rule at development time. There's no way to set the port, or to use a common one for all VS installations. A solution might be to use a different endpoint on the existing site for refresh functionality rather than try to connect to a different port.

#31320 (comment)

[ASP-WAF]

to allow this while developing alter the CSP header on the response of the page. My Nuget Package walter.web.firewall will do this for you

[flavio2201]

I faced the same issue and added: "default-src 'self' 'unsafe-eval'". It is a temporary fix though. I wish we had a proper fix to avoid the 'unsafe-eval' line.

[aKzenT]

There is a way to disable the injection of the aspnetcore-browser-refresh script using configuration settings. Basically the script is injected by a middleware which is injected using hosting startup assemblies. You can disable the specific hosting startup assembly using this code:

builder.UseSetting(WebHostDefaults.HostingStartupExcludeAssembliesKey, "Microsoft.AspNetCore.Watch.BrowserRefresh");

Or using an environment variable ASPNETCORE_HOSTINGSTARTUPEXCLUDEASSEMBLIES with the same value.

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[Myster]

We use 'strict-dynamic' with nonce attributes on all our scripts which precludes the use of 'self'.
Perhaps if we could implement some interface which would return the nonce so it can be applied to the preload script tag (I have no idea if that's even remotely feasible depending on how the script is generated and injected.)
And given this is just for dev environment... probably very low priority.

Perhaps nonces need baking into the MVC framework :-)

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[kathleenwest]

I am working on the Microsoft Learn tutorials, and this is still an issue https://learn.microsoft.com/en-us/training/modules/dotnet-microservices/5-exercise-create-docker-compose-file

Refused to load the script 'http://localhost:32000/_framework/blazor.web.js' because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

[mkArtakMSFT]

Closing as this will be handled as part of #45213