Getting Started with ASP.NET Web Forms
The Web Forms model and how to create pages and use controls.
Getting Started with ASP.NET 4.5 Web Forms and Visual Studio 2013
Using Page Inspector for Visual Studio 2012 in ASP.NET Web Forms
Why are external resources in my page being blocked in Web Live Preview?
If you have any external resources from a third party domain that are in your page, you may notice that the designer in Web Live Preview has prevented them from loading, and shows this toast:
You may be wondering why the resources have been blocked from loading in the designer, and why the toast is showing. This article explains why resources have been blocked.
Overview of Web Live Preview and BrowserLink
Web Live Preview (WLP) is a Visual Studio extension built on top of BrowserLink. WLP uses BrowserLink to provide a channel for two-way communication between Visual Studio and the designer. This two-way communication allows WLP to provide many features:
- Synchronizing the contents and currently selected node in the designer with that of the editor.
- Pushing new content created from the designer into the editor.
- Executing Action Panel commands.
Potential Security Vulnerabilities with Web Live Preview and BrowserLink
If you inject any scripts or resources from a third party into your web page, this could expose you to a potential security vulnerability by using WLP and BrowserLink to make a Cross-Site Scripting (XSS) attack.
If a third party resource can inject malicious code into the site, the code could use the Browser Link script injected into the designer to make calls back to Visual Studio. The injected script could allow the code to write arbitrary content in files open in Visual Studio or open up other attack vectors.
Currently, there's no good way to prevent attackers from communicating via the BrowserLink script back to Visual Studio.
Security vulnerability mitigation
As much as possible, we've limited and mitigated the security vulnerabilities from the communication via the BrowserLink script back to Visual Studio. However, some attacks can still be made possible through an XSS attack.
To reduce the possibility of such an XSS attack, by default, WLP blocks all external resources from being loaded. If any external resource is blocked, WLP shows the following toast in the upper-right-hand corner of the designer:
(In this example, we use the following SVG, which is an external resource used in a sample web app: https://visualstudio.microsoft.com/wp-content/uploads/2021/10/Product-Icon.svg)
If the Microsoft Edge DevTools window is opened, you may also notice the following message explaining why an external resource failed to load:
In the toast of the designer, if you select the click here link, it brings up the following dialog, with the domains of the blocked resources automatically added to the dialog's list:
Any resources coming from external domains stored in the list of the dialog won't be blocked by default in WLP and loads as usual. After clicking OK, the designer reloads the page and loads any previously blocked resources whose domains were added to the dialog. Make sure that you only allow external domains that you have verified to be trustworthy and safe.
Clicking the Web Live Preview - external domains link in the toast brings up the same dialog, but won't add any of the domains of the blocked resources into the dialog:
You can also access the dialog through the
Tools -> Options -> Web Live Preview -> Allowed external domains during design setting. The dialog settings are per installed instance of Visual Studio.
Allowing domains to not be blocked by default could expose you to the XSS attack mentioned above. Again, we highly recommend only allowing external domains that you can verify as trustworthy and safe.