From 8c5756e8fa723d7246577352a54ba1a491f624ef Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 7 Apr 2022 08:03:51 -0500
Subject: [PATCH 1/5] Blazor Hybrid Security topic

---
 aspnetcore/blazor/hybrid/security/index.md | 70 ++++++++++++++++++++++
 aspnetcore/blazor/hybrid/tutorials/maui.md |  2 +-
 aspnetcore/toc.yml                         |  2 +
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 aspnetcore/blazor/hybrid/security/index.md

diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md
new file mode 100644
index 000000000000..4f41ce7e8603
--- /dev/null
+++ b/aspnetcore/blazor/hybrid/security/index.md
@@ -0,0 +1,70 @@
+---
+title: ASP.NET Core Blazor Hybrid authentication and authorization
+author: guardrex
+description: Learn about Blazor Hybrid authentication and authorization scenarios.
+monikerRange: '>= aspnetcore-6.0'
+ms.author: riande
+ms.custom: mvc
+ms.date: 04/07/2022
+no-loc: [".NET MAUI", "Mac Catalyst", "Blazor Hybrid", Home, Privacy, Kestrel, appsettings.json, "ASP.NET Core Identity", cookie, Cookie, Blazor, "Blazor Server", "Blazor WebAssembly", "Identity", "Let's Encrypt", Razor, SignalR]
+uid: blazor/hybrid/security/index
+---
+# ASP.NET Core Blazor Hybrid authentication and authorization
+
+This article describes ASP.NET Core's support for the configuration and management of security in Blazor Hybrid apps.
+
+## Untrusted and unencoded content
+
+Avoid allowing an app render untrusted and unencoded content from a database or other resource, such as user-provided comments, in its rendered UI. Permitting untrusted, unencoded content to render can cause malicious code to execute.
+
+## External content rendered in an `iframe`
+
+When using an [`iframe`](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) to display external content within a Blazor Hybrid page, we recommend that users leverage sandboxing features to ensure that the content is isolated from the parent page containing the app. In the following example, the [`sandbox` attribute](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) is present for the `<iframe>` tag to apply [sandboxing features](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) to the `foo.html` page:
+
+```html
+<iframe sandbox src="https://contoso.com/foo.html" />
+```
+
+> [!WARNING]
+> The [`sandbox` attribute](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) is ***not*** supported in early browser versions. For more information, see [Can I use: `sandbox`](https://caniuse.com/?search=sandbox).
+
+## Links to external URLs
+
+By default, links to URLs outside of the app are opened using the system's browser, not loaded within the app. We do ***not*** recommend overriding the default behavior.
+
+The user might be able to indicate that they want the URL to load in the app because it's content that they trust. In that case, see the [Untrusted and unencoded content](#untrusted-and-unencoded-content) section.
+
+## Keep `BlazorWebView` (`WebView`) current in deployed apps
+
+By default, the [`BlazorWebView`](/maui/user-interface/controls/blazorwebview) control uses the currently-installed, platform-specific native `WebView`. Since the native `WebView` is periodically updated with support for new APIs and fixes for security issues, it may be necessary to ensure that an app is using a `WebView` version that meets the app's requirements.
+
+To keep the `WebView` current in deployed apps, check the `WebView` version and prompt the user to take any necessary steps to update it.
+
+<!-- HOLD FOR RC2 AND SWAP FOR THE PRIOR SENTENCE
+
+Use one of the following approaches to keep the `WebView` current in deployed apps:
+
+* **On all platforms**: Check the `WebView` version and prompt the user to take any necessary steps to update it.
+* **Only on Windows**: Package a fixed-version `WebView` within the app, using it in place of the system's shared `WebView`.
+
+-->
+
+### Android
+
+The Android `WebView` is distributed and updated via the [Google Play Store](https://play.google.com/store/apps/details?id=com.google.android.webview). Check the `WebView` version by reading the [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string. Read the `WebView`'s [`navigator.userAgent`](https://developer.mozilla.org/docs/Web/API/Navigator/userAgent) property using [JavaScript interop](xref:blazor/js-interop/index) and optionally cache the value using a singleton service if the user agent string is required outside of a Razor component context.
+
+### iOS/Mac Catalyst
+
+iOS and Mac Catalyst both use [`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview), a Safari-based control, which is updated by the operating system. Similar to the [Android](#android) case, determine the `WebView` version by reading the `WebView`'s [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string.
+
+### Windows (.NET MAUI, WPF, WinForms)
+
+On Windows, the Chromium-based [Microsoft Edge `WebView2`](/microsoft-edge/webview2/) is required to run Blazor web apps. By default, the newest installed version of `WebView2` (known as the [Evergreen distribution](/microsoft-edge/webview2/concepts/distribution#details-about-the-fixed-version-runtime-distribution-mode)) is used.
+
+<!-- AT RC2, ADD THE FOLLOWING SENTENCE TO THE PRECEDING PARAGRAPH
+
+If you wish to ship a specific version of `WebView2` with the app, use the [Fixed Version distribution mode](/microsoft-edge/webview2/concepts/distribution#details-about-the-fixed-version-runtime-distribution-mode).
+
+-->
+
+For more information on selecting a `WebView2` distribution mode and checking the currently-installed `WebView2` version, see the [`WebView2` distribution docs](/microsoft-edge/webview2/concepts/distribution).
diff --git a/aspnetcore/blazor/hybrid/tutorials/maui.md b/aspnetcore/blazor/hybrid/tutorials/maui.md
index a5679224dc9d..607cb329603b 100644
--- a/aspnetcore/blazor/hybrid/tutorials/maui.md
+++ b/aspnetcore/blazor/hybrid/tutorials/maui.md
@@ -22,7 +22,7 @@ This tutorial shows you how to build and run a .NET MAUI Blazor app. You learn h
 
 * [Supported platforms (.NET MAUI documentation)](/dotnet/maui/supported-platforms)
 * [Visual Studio 2022 Preview](https://visualstudio.microsoft.com/vs/preview/) with the **Mobile development with .NET** workload
-* [Microsoft Edge WebView2](https://developer.microsoft.com/microsoft-edge/webview2/): WebView2 is required on Windows when running a native app. When developing .NET MAUI Blazor apps and only running them in Visual Studio's emulators, WebView2 isn't required.
+* [Microsoft Edge `WebView2`](https://developer.microsoft.com/microsoft-edge/webview2/): `WebView2` is required on Windows when running a native app. When developing .NET MAUI Blazor apps and only running them in Visual Studio's emulators, `WebView2` isn't required.
 * [Enable hardware acceleration](/dotnet/maui/android/emulator/hardware-acceleration) to improve the performance of the Android emulator.
 
 ## Create a .NET MAUI Blazor app
diff --git a/aspnetcore/toc.yml b/aspnetcore/toc.yml
index 56f386f5ead1..07fef68b7d58 100644
--- a/aspnetcore/toc.yml
+++ b/aspnetcore/toc.yml
@@ -353,6 +353,8 @@ items:
                 uid: blazor/hybrid/routing
               - name: Browser developer tools
                 uid: blazor/hybrid/developer-tools
+              - name: Security
+                uid: blazor/hybrid/security/index
           - name: Project structure
             uid: blazor/project-structure
           - name: Fundamentals

From 119510ad5e7eabbd9849bf558d2a6a3f3f975076 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 7 Apr 2022 08:17:11 -0500
Subject: [PATCH 2/5] Updates

---
 aspnetcore/blazor/hybrid/security/index.md | 4 ++++
 aspnetcore/blazor/security/index.md        | 1 +
 2 files changed, 5 insertions(+)

diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md
index 4f41ce7e8603..5e652645b73a 100644
--- a/aspnetcore/blazor/hybrid/security/index.md
+++ b/aspnetcore/blazor/hybrid/security/index.md
@@ -68,3 +68,7 @@ If you wish to ship a specific version of `WebView2` with the app, use the [Fixe
 -->
 
 For more information on selecting a `WebView2` distribution mode and checking the currently-installed `WebView2` version, see the [`WebView2` distribution docs](/microsoft-edge/webview2/concepts/distribution).
+
+## Additional resources
+
+* <xref:blazor/security/index>
diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md
index b15bfc84b5d1..135acfb534ad 100644
--- a/aspnetcore/blazor/security/index.md
+++ b/aspnetcore/blazor/security/index.md
@@ -574,6 +574,7 @@ The <xref:Microsoft.AspNetCore.Components.Authorization.CascadingAuthenticationS
 * <xref:security/index>
 * <xref:security/authentication/windowsauth>
 * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library)
+* <xref:blazor/hybrid/security/index>
 * [Awesome Blazor: Authentication](https://github.com/AdrienTorris/awesome-blazor#authentication) community sample links
 
 :::moniker-end

From 26281db0c7852c8a4b5599e3084e876c04b5cc12 Mon Sep 17 00:00:00 2001
From: Luke Latham <1622880+guardrex@users.noreply.github.com>
Date: Mon, 11 Apr 2022 14:40:56 -0500
Subject: [PATCH 3/5] Apply suggestions from code review

I'll make the `WebView` change locally for the next commit.

I'll circle around for that update everywhere on the new issue that I opened.

Co-authored-by: Mackinnon Buck <mackinnon.buck@gmail.com>
---
 aspnetcore/blazor/hybrid/security/index.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md
index 5e652645b73a..24690a52a373 100644
--- a/aspnetcore/blazor/hybrid/security/index.md
+++ b/aspnetcore/blazor/hybrid/security/index.md
@@ -30,11 +30,11 @@ When using an [`iframe`](https://developer.mozilla.org/docs/Web/HTML/Element/ifr
 
 ## Links to external URLs
 
-By default, links to URLs outside of the app are opened using the system's browser, not loaded within the app. We do ***not*** recommend overriding the default behavior.
+By default, links to URLs outside of the app are opened in an appropriate external app, not loaded within the `WebView`. We do ***not*** recommend overriding the default behavior.
 
 The user might be able to indicate that they want the URL to load in the app because it's content that they trust. In that case, see the [Untrusted and unencoded content](#untrusted-and-unencoded-content) section.
 
-## Keep `BlazorWebView` (`WebView`) current in deployed apps
+## Keep the `WebView` current deployed apps
 
 By default, the [`BlazorWebView`](/maui/user-interface/controls/blazorwebview) control uses the currently-installed, platform-specific native `WebView`. Since the native `WebView` is periodically updated with support for new APIs and fixes for security issues, it may be necessary to ensure that an app is using a `WebView` version that meets the app's requirements.
 
@@ -67,7 +67,7 @@ If you wish to ship a specific version of `WebView2` with the app, use the [Fixe
 
 -->
 
-For more information on selecting a `WebView2` distribution mode and checking the currently-installed `WebView2` version, see the [`WebView2` distribution docs](/microsoft-edge/webview2/concepts/distribution).
+For more information on checking the currently-installed `WebView2` version, see the [`WebView2` distribution docs](/microsoft-edge/webview2/concepts/distribution).
 
 ## Additional resources
 

From 7c70fae03d0d52dc20554b405545840ebfdb2203 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 11 Apr 2022 14:43:27 -0500
Subject: [PATCH 4/5] Swap no-loc "Web View" for code-fenced version

---
 aspnetcore/blazor/hybrid/security/index.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md
index 24690a52a373..e51305453825 100644
--- a/aspnetcore/blazor/hybrid/security/index.md
+++ b/aspnetcore/blazor/hybrid/security/index.md
@@ -30,32 +30,32 @@ When using an [`iframe`](https://developer.mozilla.org/docs/Web/HTML/Element/ifr
 
 ## Links to external URLs
 
-By default, links to URLs outside of the app are opened in an appropriate external app, not loaded within the `WebView`. We do ***not*** recommend overriding the default behavior.
+By default, links to URLs outside of the app are opened in an appropriate external app, not loaded within the :::no-loc text="Web View":::. We do ***not*** recommend overriding the default behavior.
 
 The user might be able to indicate that they want the URL to load in the app because it's content that they trust. In that case, see the [Untrusted and unencoded content](#untrusted-and-unencoded-content) section.
 
-## Keep the `WebView` current deployed apps
+## Keep the :::no-loc text="Web View"::: current deployed apps
 
-By default, the [`BlazorWebView`](/maui/user-interface/controls/blazorwebview) control uses the currently-installed, platform-specific native `WebView`. Since the native `WebView` is periodically updated with support for new APIs and fixes for security issues, it may be necessary to ensure that an app is using a `WebView` version that meets the app's requirements.
+By default, the [`BlazorWebView`](/maui/user-interface/controls/blazorwebview) control uses the currently-installed, platform-specific native :::no-loc text="Web View":::. Since the native :::no-loc text="Web View"::: is periodically updated with support for new APIs and fixes for security issues, it may be necessary to ensure that an app is using a :::no-loc text="Web View"::: version that meets the app's requirements.
 
-To keep the `WebView` current in deployed apps, check the `WebView` version and prompt the user to take any necessary steps to update it.
+To keep the :::no-loc text="Web View"::: current in deployed apps, check the :::no-loc text="Web View"::: version and prompt the user to take any necessary steps to update it.
 
 <!-- HOLD FOR RC2 AND SWAP FOR THE PRIOR SENTENCE
 
-Use one of the following approaches to keep the `WebView` current in deployed apps:
+Use one of the following approaches to keep the :::no-loc text="Web View"::: current in deployed apps:
 
-* **On all platforms**: Check the `WebView` version and prompt the user to take any necessary steps to update it.
-* **Only on Windows**: Package a fixed-version `WebView` within the app, using it in place of the system's shared `WebView`.
+* **On all platforms**: Check the :::no-loc text="Web View"::: version and prompt the user to take any necessary steps to update it.
+* **Only on Windows**: Package a fixed-version :::no-loc text="Web View"::: within the app, using it in place of the system's shared :::no-loc text="Web View":::.
 
 -->
 
 ### Android
 
-The Android `WebView` is distributed and updated via the [Google Play Store](https://play.google.com/store/apps/details?id=com.google.android.webview). Check the `WebView` version by reading the [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string. Read the `WebView`'s [`navigator.userAgent`](https://developer.mozilla.org/docs/Web/API/Navigator/userAgent) property using [JavaScript interop](xref:blazor/js-interop/index) and optionally cache the value using a singleton service if the user agent string is required outside of a Razor component context.
+The Android :::no-loc text="Web View"::: is distributed and updated via the [Google Play Store](https://play.google.com/store/apps/details?id=com.google.android.webview). Check the :::no-loc text="Web View"::: version by reading the [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string. Read the :::no-loc text="Web View":::'s [`navigator.userAgent`](https://developer.mozilla.org/docs/Web/API/Navigator/userAgent) property using [JavaScript interop](xref:blazor/js-interop/index) and optionally cache the value using a singleton service if the user agent string is required outside of a Razor component context.
 
 ### iOS/Mac Catalyst
 
-iOS and Mac Catalyst both use [`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview), a Safari-based control, which is updated by the operating system. Similar to the [Android](#android) case, determine the `WebView` version by reading the `WebView`'s [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string.
+iOS and Mac Catalyst both use [`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview), a Safari-based control, which is updated by the operating system. Similar to the [Android](#android) case, determine the :::no-loc text="Web View"::: version by reading the :::no-loc text="Web View":::'s [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string.
 
 ### Windows (.NET MAUI, WPF, WinForms)
 

From 4bf9aa9ad841fc9e4eed4a2ab4ff562349e49bd6 Mon Sep 17 00:00:00 2001
From: Luke Latham <1622880+guardrex@users.noreply.github.com>
Date: Tue, 12 Apr 2022 14:53:41 -0500
Subject: [PATCH 5/5] Add the Blazor Hybrid preview notice

---
 aspnetcore/blazor/hybrid/security/index.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md
index e51305453825..7997da3b3a66 100644
--- a/aspnetcore/blazor/hybrid/security/index.md
+++ b/aspnetcore/blazor/hybrid/security/index.md
@@ -13,6 +13,8 @@ uid: blazor/hybrid/security/index
 
 This article describes ASP.NET Core's support for the configuration and management of security in Blazor Hybrid apps.
 
+[!INCLUDE[](~/blazor/includes/blazor-hybrid-preview-notice.md)]
+
 ## Untrusted and unencoded content
 
 Avoid allowing an app render untrusted and unencoded content from a database or other resource, such as user-provided comments, in its rendered UI. Permitting untrusted, unencoded content to render can cause malicious code to execute.