Refused to load _framework/aspnetcore-browser-refresh.js after upgrading visual studio to 16.10.0

Question

I'm working on .net 5 blazor wasm project. I recently updated my Visual Studio 2019 to version 16.10.0. All of a sudden I started getting an error message in my browser (Google Chrome) console as shown below:

Refused to load the script 'https://localhost:44340/_framework/aspnetcore-browser-refresh.js' because it violates the following Content Security Policy directive: "script-src 'sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

I don't have _framework/aspnetcore-browser-refresh.js added in my index.html. Here is the scripts and styles declaration in my index.html

styles declared inside <head> in index.html:

<head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
    <title>App</title>
    <base href="/" />
    <link href="css/site.css" rel="stylesheet" />
    <link href="Web.styles.css" rel="stylesheet">
    <link href="_content/BlazorDateRangePicker/daterangepicker.min.css" rel="stylesheet" />
    <link href="manifest.json" rel="manifest" />
    <link rel="apple-touch-icon" sizes="512x512" href="icon-512.png" />
</head>

scripts in index.html:

<script src="_content/Microsoft.AspNetCore.Components.WebAssembly.Authentication/AuthenticationService.js"></script>
<script src="_framework/blazor.webassembly.js"></script>
<script src="js/Chart.js"></script>
<script src="js/print.js"></script>
<script src="js/pdf.js"></script>
<script src="_content/BlazorDateRangePicker/clickAndPositionHandler.js"></script>
<script src="js/blazorInterop.js"></script>
<script>navigator.serviceWorker.register('service-worker.js');</script>

But when I launch the app via visual studio, from the browser I can see that _framework/aspnetcore-browser-refresh.js gets appended to scripts section in my index.html. Here is the screen print.

This is anything related to my configuration error? or I need to setup CSP in my index.html? Please assist.

Answer 1

Looks like /_framework/aspnetcore-browser-refresh.js script belongs to a new Hot Reload feature.

Something was broken due to upgrade because message: it violates the following Content Security Policy directive: "script-src 'sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI='" says thay you have CSP script-src 'sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI=', but at the same time you load a lot of scripts:

<script src="_content/Microsoft.AspNetCore.Components.WebAssembly.Authentication/AuthenticationService.js"></script>
<script src="_framework/blazor.webassembly.js"></script>
<script src="js/Chart.js"></script>
<script src="js/print.js"></script>
<script src="js/pdf.js"></script>
<script src="_content/BlazorDateRangePicker/clickAndPositionHandler.js"></script>
<script src="js/blazorInterop.js"></script>
<script>navigator.serviceWorker.register('service-worker.js');</script>

At least you need to have 'self' in the script-src directive. Also the sha256-fa5rxHhZ799izGRP38+h4ud5QXNT0SFaFlh4eqDumBI= hash value does not match the hash of your navigator.serviceWorker.register('service-worker.js'); inline script.

You should have a lot of CSP errors in the console.