MapStaticAssets/CSP problem

[akurone]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

hello,
i know this is not exactly a bug but it severely damages the workflow: i want to use newly introduced MapStaticAssets with a CSP header which doesn't allow inline scripts (via script-src; enforced by our security team).

The ImportMap component renders as an inline script but this is blocked by the browser because of CSP header.
adding the related SHA value to header solves the issue (for a while:)).

BUT, since everything is immutable with MapStaticAssets approach; a simple change causes the static assets to be rebuilt and then the contents of the ImportMap is changed and then the SHA is invalid, i need to update it again.

basically (almost) every change in source requires an update for the SHA value of ImportMap script.

i might be doing something terribly wrong but after having a quick conversation (AspNetCore.Docs/34351) with @guardrex on the docs i think your comment on the issue is important: as i said there is actually no bug but the workflow gets really messy this way. it needs to be addressed either in MapStaticAssets/ImportMap or in the docs (by letting people know how to properly use MapStaticAssets with a rather restrictive CSP).

Expected Behavior

i would love to use MapStaticAssets with a CSP that restricts use of inline scripts.

Steps To Reproduce

you can follow along with the git history of the repro:

1. start with blazor web app template: ImportMap works (c22dda98)
2. add described CSP header: ImportMap is blocked by browser due to CSP header (feda3e4c)
3. include SHA in the CSP: ImportMap works again (f8cee93b)
4. change something: ImportMap is blocked again due to the content change (19500644)
5. update the SHA: ImportMap works again (1fbf61c8)

Exceptions (if any)

No response

.NET Version

9.0.101

Anything else?

cc: @guardrex dotnet/AspNetCore.Docs#34351