d764
d764 d764
d764 d764
d764 If you happen to’re enthusiastic d764 about d764 Sizzling Reload d764 like me AND you d764 additionally d764 need an “A” grade d764 from d764 SecurityHeaders.com d764 (actually, go do this d764 now) then you’ll study in d764 a short time about d764 Content material-Safety-Coverage d764 headers. It is advisable d764 to spend a while studying d764 and it’s possible you’ll find d764 yourself with a considerably refined d764 record of allowed issues, scripts, d764 stylesheets, and so on.
d764
d764 In d764 DasBlog Core d764 (the cross platform weblog d764 engine that runs this weblog) d764 Mark Downie makes these configurable d764 and makes use of the d764 NWebSpec ASP.NET Middleware library so d764 as to add the wanted d764 headers.
d764 if (SecurityStyleSources != null && d764 SecurityScriptSources != null && DefaultSources d764 != null)
d764 {
d764 app.UseCsp(choices => choices
d764 .DefaultSources(s => s.Self()
d764 .CustomSources(DefaultSources)
d764 )
d764 .StyleSources(s => s.Self()
d764 .CustomSources(SecurityStyleSources)
d764 .UnsafeInline()
d764 )
d764 .ScriptSources(s => s.Self()
d764 .CustomSources(SecurityScriptSources)
d764 .UnsafeInline()
d764 .UnsafeEval()
d764 )
d764 );
d764 }
d764
d764 Every of these variables comes d764 out of a config file. d764 Sure, it might be extra d764 safety in the event that d764 they got here out of d764 a vault or have been d764 even onerous coded.
d764
d764 DasBlog is a pretty big d764 and funky app and we d764 seen instantly upon Mark upgrading d764 it to .NET 6 that d764 we have been unable to d764 make use of Sizzling Reload d764 (through dotnet watch or from d764 VS 2022). We are able d764 to complain about it, or d764 we are able to study d764 the way it works and d764 why it is not working d764 for us!
d764
d764
d764 Keep in mind: d764 Nothing in your pc is d764 hidden from you d764 .
d764
d764 Beginning with a easy “View d764 Supply” we are able to d764 see a JavaScript embrace on d764 the very backside that’s undoubtedly d764 not mine!
d764 <script src="http://feeds.hanselman.com/_framework/aspnetcore-browser-refresh.js"></script>
d764
d764 Okay, this is smart as d764 we all know not solely d764 does HotReload assist C# (code d764 behinds) but additionally Markup through d764 Razor Pages and altering CSS! d764 It will undoubtedly want to d764 speak “again house” to the d764 runner which is both “dotnet d764 watch” or VS2022.
d764
d764 If I modify the ASPNETCORE_ENVIRONMENT d764 to “Manufacturing” (both through launch.json, d764 launchsettings, or an atmosphere variable d764 like this, I can see d764 that additional HotReload helper script d764 is not there:
d764 C:githubwshotreloadtest>dotnet run --environment="Manufacturing"
d764 Constructing...
d764 data: Microsoft.Internet hosting.Lifetime[14]
d764 Now listening on: https://localhost:7216
d764 data: Microsoft.Internet hosting.Lifetime[14]
d764 Now listening on: d764 http://localhost:5216
d764
d764
d764 Keep in mind: d764 You by no means need d764 to use dotnet run in d764 manufacturing! It is an SDK d764 constructing command! You will need d764 to use dotnet exec your.dll, d764 dotnet your.dll, or better of d764 all, in .NET 6 simply d764 name the EXE immediately! .binDebugnet6.0wshotreloadtest.exe d764 in my instance. Why? dotnet d764 run will all the time d764 assume it is in Improvement d764 (you actually inform it to d764 revive, construct, and exec in d764 a single run command) in d764 case you run it. You d764 will be aware that working d764 the precise EXE is all d764 the time WAY sooner as d764 properly! Do not ship your d764 .NET SDK to your webserver d764 and do not recompile the d764 entire thing on startup in d764 manufacturing!
d764
d764 We are able to see d764 that that aspnnetcore-browser-refresh.js is the d764 consumer aspect of Improvement-time HotReload. d764 our browser console we d764 see :
d764
d764 Refused to connect with 'wss://localhost:62486/' d764
d764 as a result of it d764 violates the next Content material d764 Safety Coverage
d764 directive: "default-src 'self'".
d764 Notice that 'connect-src' was not d764 explicitly set,
d764 so 'default-src' is used as d764 a fallback.
d764
d764 That is quite a bit d764 to consider. I began out d764 my ASP.NET Net App’s center d764 ware saying it was OK d764 to speak “again to myself” d764 however nowhere else.
d764 app.UseCsp(choices => choices.DefaultSources(s => s.Self())); d764
d764
d764 Hm, self appears cheap, why d764 cannot the browser join BACK d764 to the dotnet run’ed Kestrel d764 Net Server? It is all d764 localhost, proper? Nicely, particularly it d764 is http://localhost not ws://localhost, and d764 even wss://localhost (that additional s d764 is for safe) so I d764 must explicitly enable ws: or d764 wss: or each, however solely d764 in Improvement.
d764
d764 Possibly like this (once more, d764 I am utilizing NWebSpec, however d764 these are simply HTTP Headers d764 so you’ll be able to d764 actually simply add them if d764 you would like, hardcoded.)
d764 app.UseCsp(choices => choices.DefaultSources(s => s.Self())
d764 .ConnectSources(s => s.CustomSources("wss://localhost:62895")));
d764
d764 However port numbers change, proper? d764 Let’s do exactly wss:, solely d764 in Improvement. Now, if I d764 am utilizing each CSPs and d764 WebSockets (ws:, wss:) in Manufacturing, d764 I am going to must d764 be intentional about this.
d764
d764 What is the ethical?
d764
d764 If you happen to begin d764 utilizing CSP Headers to tighten d764 issues up, be acutely aware d764 and conscious of the headers d764 you want for conveniences like d764 Sizzling Reload in Improvement versus d764 no matter issues it’s possible d764 you’ll want in Manufacturing.
d764
d764 Hope this helps prevent a d764 while!
d764
d764
d764 Sponsor: d764 At Rocket Mortgage® the work d764 you do round right here d764 will probably be 100% impactful d764 however gained’t take all of d764 your free time, supplying you d764 with the right work-life steadiness. d764 Or as we name it, d764 tech/life steadiness! d764 Be taught extra.
d764
d764 d764
d764 d764 d764
d764 d764 d764 d764
d764 About Scott
d764
d764 d764 d764 d764
d764 d764 d764 d764
d764 Scott Hanselman is a former d764 professor, former Chief Architect in d764 finance, now speaker, guide, father, d764 diabetic, and Microsoft worker. He’s d764 a failed stand-up comedian, a d764 cornrower, and a e book d764 creator.
d764
d764 d764 d764 d764 
d764
d764 d764 d764 d764 
d764
d764 d764 d764 d764 
d764
d764 d764 d764 d764 d764 About d764 Â d764 Publication d764
d764 d764 d764 d764
d764
d764 d764 d764
d764
d764 d764 d764
d764 d764 d764 d764
d764 d764 d764 d764 d764 Internet hosting By
d764
d764 d764 d764 d764
d764d764 d764 d764 d764
d764
d764 d764 d764
d764
d764 d764
d764
d764 d764
d764 d764
d764 d764 d764
d764
d764