Monday, January 20, 2025

.NET 6 Sizzling Reload and “Refused to hook up with ws: as a result of it violates the Content material Safety Coverage directive” as a result of Internet Sockets



In case you’re enthusiastic about Sizzling Reload like me AND you additionally need an “A” grade from SecurityHeaders.com (actually, go do this now) then you’ll be taught in a short time about Content material-Safety-Coverage headers. You could spend a while studying and it’s possible you’ll find yourself with a considerably refined listing of allowed issues, scripts, stylesheets, and so on.

In DasBlog Core (the cross platform weblog engine that runs this weblog) Mark Downie makes these configurable and makes use of the NWebSpec ASP.NET Middleware library so as to add the wanted headers.

if (SecurityStyleSources != null && SecurityScriptSources != null && DefaultSources != null)
{
app.UseCsp(choices => choices
.DefaultSources(s => s.Self()
.CustomSources(DefaultSources)
)
.StyleSources(s => s.Self()
.CustomSources(SecurityStyleSources)
.UnsafeInline()
)
.ScriptSources(s => s.Self()
.CustomSources(SecurityScriptSources)
.UnsafeInline()
.UnsafeEval()
)
);
}

Every of these variables comes out of a config file. Sure, it could be extra safety in the event that they got here out of a vault or had been even onerous coded.

DasBlog is a fairly large and funky app and we observed instantly upon Mark upgrading it to .NET 6 that we had been unable to make use of Sizzling Reload (through dotnet watch or from VS 2022). We will complain about it, or we will study the way it works and why it isn’t working for us!

Bear in mind: Nothing in your pc is hidden from you.

Beginning with a easy “View Supply” we will see a JavaScript embody on the very backside that’s positively not mine!



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

PHP Code Snippets Powered By : XYZScripts.com