question

GarethWynn-3096 avatar image
0 Votes"
GarethWynn-3096 asked Bruce-SqlWork commented

Razor component parameter names and values sent to client in Blazor server-side

I've been examining the data sent back to the client from a Blazor server-side app. Something that I noticed in the messages is that the JS.RenderBatch call includes the names and values of Razor parameters. I wasn't expecting this as I'd assumed all of that logic would be handled on the server. For example, I have a component which takes a parameter in order to decide what content to display. The value of the parameter is a string and both the parameter name and the value are included in the JS.RenderBatch call. It only seems to apply to strings as far as I can tell.

For example, I have a component that has 2 parameters, Value1 and Value2. This is included in the JS.RenderBatch call:
Value1 layoutParameterValue1 Value2 layoutParameterValue2


I consider this to be a potential security issue because somebody may pass sensitive information to a Razor parameter and believe that it will only be processed on the server. Does anyone know why this happens?

dotnet-aspnet-core-blazor
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In Blazor Server the rendering and logic happens on the server. Passing name/values pairs is fundamentally how web applications (HTTP) work.

The rule of thumb for any web application is do not pass sensitive data to the client browser.

It sounds like you have a design issue. If you need help then share your code so we can see what you're doing and provide alternatives. Perhaps you can use a cache or Session to store the sensitive information by user.

0 Votes 0 ·

Thanks for your response.

Just to be clear, what I'm saying is that elements of Razor markup from the server are being sent to the client.

E.g. if I have declare a component

<AuthorizedUserOnly Roles="PowerUser">..

Then the parameter name Role and the parameter value "PowerUser" would be sent to the client. I don't know much about the internal working of Blazor but I don't see why that data is sent to the client. I've never seen any recommendation or guideline about putting sensitive information in Razor parameters on server-side Blazor.

0 Votes 0 ·

if I have declare a component
<AuthorizedUserOnly Roles="PowerUser">..
Then the parameter name Role and the parameter value "PowerUser" would be sent to the client. I don't know much about the internal working of Blazor but I don't see why that data is sent to the client. I've never seen any recommendation or guideline about putting sensitive information in Razor parameters on server-side Blazor.

For the sensitive information(such as the user roles), if you check the rendered html resource, you can't find them (`<AuthorizedUserOnly Roles="PowerUser">`).

Generally, when user login success, it will return the user information (such as user name, user role) to the client and use the cookie or token to store them. Then in the next request, the cookie or token will add to the request header, and on the server side, it will validate the request whether it is an authenticated request (has the token or user identity information) and has permission to access the relate data.

Besides, ASP.NET Core also contain features that help you secure your apps and prevent security breaches. such as Cross-Site Request Forgery (XSRF/CSRF) attacks.

0 Votes 0 ·

203181-disclosure.gif



The roles are returned to the client. Not in the HTML but in the messages sent to the client which I believe are over the SignalR connection. I've attached a screenshot from my browser showing this.

This is for the Razor markup:
<AuthorizeView Roles="Admin,Customer,PowerUser" />

0 Votes 0 ·
disclosure.gif (815.1 KiB)
Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered Bruce-SqlWork commented

Razor Components (and their attributes) are added to the razor render tree. as a copy of render tree is keep at the client, it also gets a copy. The client render tree is used to produce the actual html updates to the Dom.

in your sample code, in MainLayout.razor, it renders the markup:

<TestComponent TestParameter="this should not be sent to the client" />

this markup will added to render tree as a component node. any markup generated by this component will be added as children of this component.

note: server version of blazor builds the same render tree as the WASM version would build.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your response. I think it's surprising to people that information in sent to the client in Blazor server-side. That is the reaction I've had from my own team and also in the gitter blazor group.

It would be good if this were pointed out somewhere in the documentation because I can think of many cases where a developer may pass sensitive information to a component and not realize that it will be sent to the client.

0 Votes 0 ·

this is because Blazor uses a single render tree rather than a separate component tree and virtual dom tree. just assume all razor markup is sent to the client.

0 Votes 0 ·
AgaveJoe avatar image
0 Votes"
AgaveJoe answered GarethWynn-3096 commented

Just to be clear, what I'm saying is that elements of Razor markup from the server are being sent to the client.

If you are looking for a dynamic response based on the user's role the you can take advantage of Role-based and policy-based authorization. Otherwise, share the entire AuthorizedUserOnly component so we can see what you're doing. Also, explain how your security works.

Otherwise, if you code is returning <AuthorizedUserOnly Roles="PowerUser"> then that's how your code works.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It isn't really about the security. I've just used that code as an example. The issue is that if I pass a string parameter value to any razor component then both the parameter name and the parameter value are sent to the client over the SignalR connection. It doesn't matter what the component does. My question is why does this happen given that all of the processing of the parameter is on the server?

0 Votes 0 ·

I looked into the "built-in" way of handling roles.

<AuthorizeView Roles="Admin,Customer,PowerUser">...

I tested this and found that the roles are sent to the client. Perhaps that would not be an issue in an application designed to run on the client i.e. wasm but I'm surprised to see this in the server-side application where a developer may not expect that parameter names and values are being exposed to end users.



0 Votes 0 ·
AgaveJoe avatar image AgaveJoe GarethWynn-3096 ·

I tested this and found that the roles are sent to the client.

You are mistaken. The <AuthorizeView Roles="Admin,Customer,PowerUser"> tags is sent to the client if authentication and authorization are not configured properly. Please see the official documentation.

Otherwise, the AuthorizeView is designed to render only the contents of the component.

Share your code and expected results if you need community debugging assistance.



0 Votes 0 ·

As I said, the values aren't rendered in the page but they are sent over the websocket connection.

I've uploaded a code example based on the blazer server-side template.

https://github.com/GarethWynn/blazor-disclosure-demo


0 Votes 0 ·