Unfortunately this is still an issue due to the Chrome bug:

This resource helps detect if the chrome issue is resolved (WASM related, not blazor specific): https://s3.amazonaws.com/webassembly-chrome-csp/csp_test.html

Others are having the same issue as well: element-hq/element-web#12262

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

@TanayParikh based on my testing with dotnet.7.0.0-preview.3.22175.4 the runtime still requires unsafe-eval, mainly due to the evaluation of string in the following line:

https://github.com/dotnet/runtime/blob/14584c60b41ddc361442539f78bc3d54d3ab3ea2/src/mono/wasm/runtime/method-binding.ts#L113

The original issue was closed and locked so I am hoping you might be able to reopen it.

original issue

Can you please provide a link.

I was referring to the issue that you have created and linked to from here.
dotnet/runtime#59416 Make mono CSP Compliant

Just to show that its not a rare or low-impact issue. This issue is 100% blocking me from using Blazor in new projects. My company has a security requirement on things going into production that disallows us from using unsafe-eval.

Just to show that its not a rare or low-impact issue.

I second that.

we need this fixed asap, cannot realistically use blazor wasm without this.
EDIT: Is this available as part of .net 8 preview?

I need to point out that this is a very important thing to fix in order for Blazor to be considered mature.

Specifically, "eval()" in Javascript is considered insecure, but Blazor essentially runs via "eval()."

It's quite critical to fix this, in the long-term, for a Blazor-powered site to be considered safe from XSS attacks.