We want document some security recommendations for remote web resources in Blazor Hybrid. We probably want to have these security recommendations in the same page as #25453.
- When iframing external content within a Blazor Hybrid page, we recommend that users leverage sandboxing features to ensure that the iframed content is isolated from the parent page containing the application.
<iframe sandbox src="https://some-external-page.com/foo.html" />
- Avoid having the app render untrusted content from a database or other resource (such as user-provided comments) in its web UI and that content is not properly encoded, it could cause malicious code to execute.
- By default, links to URLs outside of the app will be opened using the system's browser and not load within the app. (The user might be able to say that they do want the URL to load in the app, because it is content that they trust, in which case see previous section about remote content). We recommend against overriding this default behavior.
We want document some security recommendations for remote web resources in Blazor Hybrid. We probably want to have these security recommendations in the same page as #25453.