Se você está animado com Recarga rápida como eu E você também quero uma nota “A” de SecurityHeaders.com (sério, tente isso agora) então você aprenderá muito rápido sobre Política de Segurança de Conteúdo cabeçalhos. Você precisa gastar algum tempo lendo e pode acabar com uma lista um tanto sofisticada de coisas permitidas, scripts, folhas de estilo, and so on.
Em Núcleo do DasBlog (o mecanismo de weblog multiplataforma que executa este weblog) Mark Downie os torna configuráveis e usa a biblioteca NWebSpec ASP.NET Middleware para adicionar os cabeçalhos necessários.
if (SecurityStyleSources != null && SecurityScriptSources != null && DefaultSources != null)
{
app.UseCsp(choices => choices
.DefaultSources(s => s.Self()
.CustomSources(DefaultSources)
)
.StyleSources(s => s.Self()
.CustomSources(SecurityStyleSources)
.UnsafeInline()
)
.ScriptSources(s => s.Self()
.CustomSources(SecurityScriptSources)
.UnsafeInline()
.UnsafeEval()
)
);
}
Cada uma dessas variáveis sai de um arquivo de configuração. Sim, seria mais seguro se elas saíssem de um cofre ou fossem mesmo codificadas.
O DasBlog é um aplicativo muito grande e authorized e notamos imediatamente após Mark atualizá-lo para o .NET 6 que não conseguíamos usar o Sizzling Reload (through dotnet watch ou do VS 2022). Podemos reclamar sobre isso ou podemos aprender como ele funciona e por que não está funcionando para nós!
Começando com um simples “Exibir código-fonte”, podemos ver um JavaScript embrace bem no remaining que definitivamente não é meu!
Ok, this makes sense as we know not only does HotReload support C# (code behinds) but also Markup via Razor Pages and changing CSS! It would definitely need to communicate "back home" to the runner which is either "dotnet watch" or VS2022. If I change the ASPNETCORE_ENVIRONMENT to "Production" (either via launch.json, launchsettings, or an environment variable like this, I can see that extra HotReload helper script isn't there:C:githubwshotreloadtest>dotnet run --environment="Production"
Building...
info: Microsoft.Hosting.Lifetime(14)
Now listening on: https://localhost:7216
info: Microsoft.Hosting.Lifetime(14)
Now listening on: http://localhost:5216
Remember: You never want to use dotnet run in production! It's an SDK building command! You'll want to use dotnet exec your.dll, dotnet your.dll, or best of all, in .NET 6 just call the EXE directly! .binDebugnet6.0wshotreloadtest.exe in my example. Why? dotnet run will always assume it's in Development (you literally tell it to restore, build, and exec in one run command) if you run it. You'll note that running the actual EXE is always WAY faster as well! Don't ship your .NET SDK to your webserver and don't recompile the whole thing on startup in production!We can see that that aspnnetcore-browser-refresh.js is the client side of Development-time HotReload. Looking at our browser console we see :

Refused to connect to 'wss://localhost:62486/'That's a lot to think about. I started out my ASP.NET Web App's middle ware saying it was OK to talk "back to myself" but nowhere else.
because it violates the following Content Security Policy
directive: "default-src 'self'".
Note that 'connect-src' was not explicitly set,
so 'default-src' is used as a fallback.
app.UseCsp(options => options.DefaultSources(s => s.Self()));Hm, self seems reasonable, why can't the browser connect BACK to the dotnet run'ed Kestrel Web Server? It's all localhost, right? Well, specifically it's http://localhost not ws://localhost, or even wss://localhost (that extra s is for secure) so I need to explicitly allow ws: or wss: or both, but only in Development. Maybe like this (again, I'm using NWebSpec, but these are just HTTP Headers so you can literally just add them if you want, hardcoded.)
app.UseCsp(options => options.DefaultSources(s => s.Self())But port numbers change, right? Let's do just wss:, only in Development. Now, if I'm using both CSPs and WebSockets (ws:, wss:) in Production, I'll need to be intentional about this. What's the moral? If you start using CSP Headers to tighten things up, be conscious and aware of the headers you need for conveniences like Hot Reload in Development versus whatever things you may need in Production. Hope this helps save you some time!
.ConnectSources(s => s.CustomSources("wss://localhost:62895")));
Sponsor: At Rocket Mortgage® the work you do around here will be 100% impactful but won’t take all your free time, giving you the perfect work-life balance. Or as we call it, tech/life balance! Learn more.
About Scott


