Skip to main content
All docs
V24.2

DevExpress v24.2 Update — Your Feedback Matters

Our What's New in v24.2 webpage includes product-specific surveys. Your response to our survey questions will help us measure product satisfaction for features released in this major update and help us refine our plans for our next major release.

Take the survey Not interested

Content Security Policy (CSP) in XAF Blazor Apps

  • 2 minutes to read

Content Security Policy (CSP) is a built-in browser mechanism that helps you protect your web application against certain types of attacks, such as Cross-Site Scripting (XSS), clickjacking, and data injection. CSP is supported in most modern browsers, including Chrome, Edge, Firefox, Opera, Safari, and mobile browsers. For more information on how to use the Content Security Policy with an ASP.NET Core Blazor application, refer to the following Microsoft topic: Enforce a Content Security Policy for ASP.NET Core Blazor.

To enable CSP protection, specify a Content-Security-Policy header or use the <meta> tag and explicitly define authorized functionality with CSP directives. You can list allowed scripts, styles, and external domains that store required resources. Apply the following directives in the <head> content of the Pages/_Host.cshtml file:

CSHTML
<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy"
        content="base-uri 'self';
        block-all-mixed-content;
        default-src 'self';
        img-src data: https:;
        object-src 'none';
        script-src 'self';
        style-src 'self' 'unsafe-inline';
        upgrade-insecure-requests;">
    <!--...-->
</head>

For more information on each directive, refer to the following section: Content-Security-Policy: Directives.

#Reports Module

If you use the Reports Module, list the following directives in the <head> section of the Pages/_Host.cshtml file. These directives allow print operations.

CSHTML
<head>
    <!--...-->
    <meta http-equiv="Content-Security-Policy"
        content="base-uri 'self';
        block-all-mixed-content;
        default-src 'self';
        img-src data: https:;
        object-src 'none';
        script-src 'self';
        style-src 'self' 'unsafe-inline';
        worker-src 'self' blob:;
        frame-src 'self' blob:;
        upgrade-insecure-requests;">
    <!--...-->
</head>

For more information about CSP support in Reports, refer to the following topic: Reports - Content Security Policy.

#Dashboards Module

The Dashboards Module does not require additional customizations. If you encounter any problems, refer to the following topic: Dashboards - Content Security Policy.

See Also