SaaS CMS has officially launched! Learn more now.

CMS 12.22.8/12.23.0 - ClientResources from root module not accessible


In CMS 12.22.8 and onwards (at the time of writing this post 12.22.8 and 12.23.0) the client resources (e.g., custom styles for UI) from root module (i.e., defined in module.config in root of the project) are no longer loaded by CMS UI.
The resource is requested by CMS UI, but 404 is returned.

Steps to reproduce:

1) Create empty alloy project with dotnet new epi-alloy-mvc --name AlloyTest
The default version of CMS in template is 12.18.0 at the time of writing
2) Create root module.config with following content

<?xml version="1.0" encoding="utf-8"?>
        <add assembly="AlloyTest" />
        <add name="epi-cms.widgets.base" path="Styles/Styles.css" resourceType="Style"/>

3) Create ClientResources/Styles/Styles.css with example content

.epi-form-container__section__label-container {
    font-size: 1.2em;

4) Run the solution - the custom style is loaded from https://localhost:5000/ClientResources/Styles/Styles.css in CMS UI
5) [Optional] Upgrade CMS to 12.22.7 - the custom style will still be loaded
6) Upgrade CMS to 12.22.8 or 12.23.0
7) Run the solution - the custom style will no longer be loaded, although CMS UI will try to load it, but the URL will return 404

I suppose this is an unintended side effect of mitigation of vulnerability found in 12.X - 
However linked blog post didn't mention any required changes in module.config to still run custom styles, and any changes clientResourceRelativePath didn't make any difference.
If someone knows solution or how to workaround this, I would be grateful for hints :) 

Edited, Oct 10, 2023 21:07

I have forwarded the question to respective team. Thank you for your patience and understanding

Oct 10, 2023 22:15

@Karol since this is a vulnerability we will respond to you separately. For anyone reading this thread. This is the expected behaviour.

Oct 11, 2023 5:39
ronpo - Oct 11, 2023 13:04
What is best practice now for the custom Client Resource injection with editor scripts? For example dojo?
Should the module.config be used somewhere else?
Robert Svallin - Oct 11, 2023 13:09
@ronpo No, nothing has really changed in that regards so module.config should still be placed in application root. If you require additional help on how to handle ClientResources please reach out to us with a support case and we can clarify.
Karol Berezicki - Oct 11, 2023 13:51
Hi @Robert,
Thank you for the response here, haven't heard back from you yet.
While I don't challenge the the decision, I believe that this (breaking) change should be documented in and also preferably stated in the blog post.
There are always some solutions for serving the custom scripts / styles securely, and it may differ from project to project, but without any information we are left in the dark.
Robert Svallin - Oct 11, 2023 14:27
@karol I reached out to you on Slack with a DM. Please confirm that you received my message there.
ronpo - Oct 12, 2023 5:14
What is the correct method for serving custom scripts and styles? Any guidance would be greatly appreciated.
Robert Svallin - Oct 12, 2023 5:44
@ronpo I would like to help but since this thread is associated with a vulnerability I will not go into detail here. I can only suggest reading up on official documentation from us and Microsoft on this topic. If you still have issues or questions I suggest reaching out to support and we will guide you through it.
Soren S - Nov 01, 2023 13:09
@Robert can you respond to me as well? I don't like the hack I currenty have to make things work.

The only fix / hack that I got working for this issue was to copy the ClientResources folder into the wwwroot folder. But it shouldn't be like that right?

Nov 01, 2023 9:45

I believe it's the correct/recommended way 

Nov 01, 2023 12:04


1: If ithe correct way is to copy the ClientResources folder into the wwwroot folder, then that copied folder has to be double updated every time changes are done in the source folder?  it seems sick.

2: I tried updating to 12.24 today with the simple alloy example from above and that didn't help anything. So the current ClientResources concept with copying into the wwwroot folder copy is as it should be?

Nov 01, 2023 12:38

Well, it is explained here from yesterdays update:

Nov 01, 2023 14:22

Hi Soren S,

In my opinion the linked solution provided by support is quite bad, because the files were previously protected by "episerver:defaultshellmodule" authorization policy, and with moving them to wwwroot they are publicly available. Of course if you don't have anything you'd like to protect, then it probably doesn't matter.
I have implemented a solution that has at least some level of protection, but I’m not sure if I’m allowed to share it here, since this topic is shrouded in 'security by obscurity'. 

Nov 01, 2023 15:19
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.