WebAssembly.Authentication breaks content security policy, requires unsafe-eval #64952
Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
As of .NET 10, the WebAssembly.Authentication component's AuthenticationService.js has started using unsafe in-line JavaScript code that breaks any reasonable content security policy and would require allowing unsafe-eval to support.
Expected Behavior
The authentication service code should continue working without errors as it did in .NET 8.
Steps To Reproduce
Include <script src="_content/Microsoft.AspNetCore.Components.WebAssembly.Authentication/AuthenticationService.js"></script> in index.html as directed by the documentation. The script uses unsafe in-line JavaScript which browsers will reject with a CSP in place:
Exceptions (if any)
Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'self' 'wasm-unsafe-eval' 'unsafe-hashes' 'sha256-7GxsRvgFpVoJjAvfMygeJfE+Nw3Ym69Ws0pNp7rTcJo=' 'sha256-6wDxxuAzeg/60+1CAAt5rbL08qT/A0H+gL/7CQENXto='” (Missing 'unsafe-eval')
.NET Version
10.0.101
Anything else?
Using Microsoft.AspNetCore.Components.WebAssembly.Authentication version 10.0.1