dotnet · guardrex · May 23, 2022 · May 3, 2022 · May 4, 2022 · May 4, 2022
@@ -0,0 +1,94 @@
+---
+title: ASP.NET Core Blazor Hybrid security considerations
+author: guardrex
+description: Learn about security considerations when developing apps in Blazor Hybrid.
+monikerRange: '>= aspnetcore-6.0'
+ms.author: riande
+ms.custom: mvc
+ms.date: 05/23/2022
+no-loc: [".NET MAUI", "Mac Catalyst", "Blazor Hybrid", Home, Privacy, Kestrel, appsettings.json, "ASP.NET Core Identity", cookie, Cookie, Blazor, "Blazor Server", "Blazor WebAssembly", "Identity", "Let's Encrypt", Razor, SignalR]
+uid: blazor/hybrid/security/security-considerations
+---
+# ASP.NET Core Blazor Hybrid security considerations
+
+This article describes security considerations for Blazor Hybrid apps.
+
+[!INCLUDE[](~/blazor/includes/blazor-hybrid-preview-notice.md)]
+
+Blazor Hybrid apps that render web content execute .NET code inside a platform :::no-loc text="Web View":::. The .NET code interacts with the web content via an interop channel between the .NET code and the :::no-loc text="Web View":::.
+
+![The WebView and .NET code interoperate within the app to render web content.](~/blazor/hybrid/security/index/_static/figure01.png)
+
+The web content rendered into the :::no-loc text="Web View"::: can come from assets provided by the app from either of the following locations:
+
+* The `wwwroot` folder in the app.
+* A source external to the app. For example, a network source, such as the Internet.
+
+A trust boundary exists between the .NET code and the code that runs inside the :::no-loc text="Web View":::. .NET code is provided by the app and any trusted third-party packages that you've installed. After the app is built, the .NET code :::no-loc text="Web View"::: content sources can't change.
+
+In contrast to the .NET code sources of content, content sources from the code that runs inside the :::no-loc text="Web View"::: can come not only from the app but also from external sources. For example, static assets from an external Content Delivery Network (CDN) might be used or rendered by an app's :::no-loc text="Web View":::.
+
+Consider the code inside the :::no-loc text="Web View"::: as **untrusted** in the same way that code running inside the browser for a web app isn't trusted. The same threats and general security recommendations apply to untrusted resources in Blazor Hybrid apps as for other types of apps.
+
+If possible, avoid loading content from a third-party origin. To mitigate risk, you might be able to serve content directly from the app by downloading the external assets, verifying that they're safe to serve to users, and placing them into the app's `wwwroot` folder for packaging with the rest of the app. When the external content is downloaded for inclusion in the app, we recommend scanning it for viruses and malware before placing it into the `wwwroot` folder of the app.
+
+If your app must reference content from an external origin, we recommended that you use common web security approaches to provide the app with an opportunity to block the content from loading if the content is compromised:
+
+* Serve content securely with TLS/HTTPS.
+* Institute a [Content Security Policy (CSP)](https://developer.mozilla.org/docs/Web/HTTP/CSP).
+* Perform [subresource integrity](https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity) checks.
+
+Even if all of the resources are packed into the app and don't load from any external origin, remain cautious about problems in the resources' code that run inside the :::no-loc text="Web View":::, as the resources might have vulnerabilities that could allow [cross-site scripting (XSS)](xref:blazor/security/server/threat-mitigation#cross-site-scripting-xss) attacks.
+
+In general, the Blazor framework protects against XSS by dealing with HTML in safe ways. However, some programming patterns allow Razor components to inject raw HTML into rendered output, such as rendering content from an untrusted source. For example, rendering HTML content directly from a database should be avoided. Additionally, JavaScript libraries used by the app might manipulate HTML in unsafe ways to inadvertently or deliberately render unsafe output.
+
+For these reasons, it's best to apply the same protections against XSS that are normally applied to web apps. Prevent loading scripts from unknown sources and don't implement potentially unsafe JavaScript features, such as [`eval`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/eval) and other unsafe JavaScript primitives. Establishing a CSP is recommended to reduce these security risks.
+
+If the code inside the :::no-loc text="Web View"::: is compromised, the code gains access to all of the content inside the :::no-loc text="Web View"::: and might interact with the host via the interop channel. For that reason, any content coming from the :::no-loc text="Web View"::: (events, JS interop) must be treated as **untrusted** and validated in the same way as for other sensitive contexts, such as in a compromised Blazor Server app that can lead to malicious attacks on the host system.
+
+Don't store sensitive information, such as credentials, security tokens, or sensitive user data, in the context of the :::no-loc text="Web View":::, as it makes the information available to an attacker if the :::no-loc text="Web View"::: is compromised. There are safer alternatives, such as handling the sensitive information directly within the native portion of the app.
+
+## External content rendered in an `iframe`
+
+When using an [`iframe`](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) to display external content within a Blazor Hybrid page, we recommend that users leverage [sandboxing features](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) to ensure that the content is isolated from the parent page containing the app. In the following example, the [`sandbox` attribute](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) is present for the `<iframe>` tag to apply sandboxing features to the `foo.html` page:
+
+```html
+<iframe sandbox src="https://contoso.com/foo.html" />
+```
+
+> [!WARNING]
+> The [`sandbox` attribute](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) is ***not*** supported in early browser versions. For more information, see [Can I use: `sandbox`](https://caniuse.com/?search=sandbox).
+
+## Links to external URLs
+
+By default, links to URLs outside of the app are opened in an appropriate external app, not loaded within the :::no-loc text="Web View":::. We do ***not*** recommend overriding the default behavior.
+
+## Keep the :::no-loc text="Web View"::: current in deployed apps
+
+By default, the [`BlazorWebView`](/maui/user-interface/controls/blazorwebview) control uses the currently-installed, platform-specific native :::no-loc text="Web View":::. Since the native :::no-loc text="Web View"::: is periodically updated with support for new APIs and fixes for security issues, it may be necessary to ensure that an app is using a :::no-loc text="Web View"::: version that meets the app's requirements.
+
+Use one of the following approaches to keep the :::no-loc text="Web View"::: current in deployed apps:
+
+* **On all platforms**: Check the :::no-loc text="Web View"::: version and prompt the user to take any necessary steps to update it.
+* **Only on Windows**: Package a fixed-version :::no-loc text="Web View"::: within the app, using it in place of the system's shared :::no-loc text="Web View":::.
+
+### Android
+
+The Android :::no-loc text="Web View"::: is distributed and updated via the [Google Play Store](https://play.google.com/store/apps/details?id=com.google.android.webview). Check the :::no-loc text="Web View"::: version by reading the [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string. Read the :::no-loc text="Web View":::'s [`navigator.userAgent`](https://developer.mozilla.org/docs/Web/API/Navigator/userAgent) property using [JavaScript interop](xref:blazor/js-interop/index) and optionally cache the value using a singleton service if the user agent string is required outside of a Razor component context.
+
+### iOS/Mac Catalyst
+
+iOS and Mac Catalyst both use [`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview), a Safari-based control, which is updated by the operating system. Similar to the [Android](#android) case, determine the :::no-loc text="Web View"::: version by reading the :::no-loc text="Web View":::'s [`User-Agent`](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent) string.
+
+### Windows (.NET MAUI, WPF, Windows Forms)
+
+On Windows, the Chromium-based [Microsoft Edge `WebView2`](/microsoft-edge/webview2/) is required to run Blazor web apps.
+
+By default, the newest installed version of `WebView2`, known as the *:::no-loc text="Evergreen distribution":::*, is used. If you wish to ship a specific version of `WebView2` with the app, use the *:::no-loc text="Fixed Version distribution":::*.
+
+For more information on checking the currently-installed `WebView2` version and the distribution modes, see the [`WebView2` distribution documentation](/microsoft-edge/webview2/concepts/distribution).
+
+## Additional resources
+
+* <xref:blazor/hybrid/security/index>
+* <xref:blazor/security/index>
@@ -5,7 +5,7 @@ description: Learn how to consume static asset files in Blazor Hybrid apps.
 monikerRange: '>= aspnetcore-6.0'
 ms.author: riande
 ms.custom: mvc
-ms.date: 05/20/2022
+ms.date: 05/23/2022
 no-loc: [".NET MAUI", "Mac Catalyst", "Blazor Hybrid", Home, Privacy, Kestrel, appsettings.json, "ASP.NET Core Identity", cookie, Cookie, Blazor, "Blazor Server", "Blazor WebAssembly", "Identity", "Let's Encrypt", Razor, SignalR]
 uid: blazor/hybrid/static-files
 ---

diff --git a/aspnetcore/toc.yml b/aspnetcore/toc.yml
@@ -357,8 +357,12 @@ items:
                 uid: blazor/hybrid/developer-tools
               - name: Reuse Razor components
                 uid: blazor/hybrid/reuse-razor-components
-              - name: Security
-                uid: blazor/hybrid/security/index
+              - name: Security and Identity
+                items:
+                  - name: Overview
+                    uid: blazor/hybrid/security/index
+                  - name: Security considerations
+                    uid: blazor/hybrid/security/security-considerations
           - name: Project structure
             uid: blazor/project-structure
           - name: Fundamentals
@@ -709,13 +713,13 @@ items:
             uid: signalr/java-client
             displayName: signalr
           - name: Java API reference
-            href: /java/api/com.microsoft.signalr?view=aspnet-signalr-java
+            href: /java/api/com.microsoft.signalr
             displayName: signalr
           - name: JavaScript client
             uid: signalr/javascript-client
             displayName: signalr
           - name: JavaScript API reference
-            href: /javascript/api/@microsoft/signalr/?view=signalr-js-latest
+            href: /javascript/api/@microsoft/signalr/
             displayName: signalr
       - name: Host and scale
         displayName: signalr
@@ -1534,6 +1538,6 @@ items:
         displayName: migrate, migration
         uid: migration/logging-nonaspnetcore
   - name: API reference
-    href: /dotnet/api/?view=aspnetcore-2.2
+    href: /dotnet/api/
   - name: Contribute
     href: https://github.com/dotnet/AspNetCore.Docs/blob/main/CONTRIBUTING.md
diff --git a/aspnetcore/zone-pivot-groups.yml b/aspnetcore/zone-pivot-groups.yml
@@ -30,3 +30,13 @@ groups:
       title: macOS
     - id: windows
       title: Windows
+- id: blazor-hybrid-frameworks
+  title: Framework
+  prompt: Target framework
+  pivots:
+    - id: maui
+      title: .NET MAUI
+    - id: wpf
+      title: WPF
+    - id: winforms
+      title: Windows Forms