Getting Started with ASP.NET Web Forms

The Web Forms model and how to create pages and use controls.

Why are external resources in my page being blocked in Web Live Preview?

If you have any external resources from a third party domain that are in your page, you may notice that the designer in Web Live Preview has prevented them from loading, and shows this toast:

Blocked Resources Toast

You may be wondering why the resources have been blocked from loading in the designer, and why the toast is showing. This article explains why resources have been blocked.

Web Live Preview (WLP) is a Visual Studio extension built on top of BrowserLink. WLP uses BrowserLink to provide a channel for two-way communication between Visual Studio and the designer. This two-way communication allows WLP to provide many features:

  • Synchronizing the contents and currently selected node in the designer with that of the editor.
  • Pushing new content created from the designer into the editor.
  • Executing Action Panel commands.

If you inject any scripts or resources from a third party into your web page, this could expose you to a potential security vulnerability by using WLP and BrowserLink to make a Cross-Site Scripting (XSS) attack.

If a third party resource can inject malicious code into the site, the code could use the Browser Link script injected into the designer to make calls back to Visual Studio. The injected script could allow the code to write arbitrary content in files open in Visual Studio or open up other attack vectors.

Currently, there's no good way to prevent attackers from communicating via the BrowserLink script back to Visual Studio.

Security vulnerability mitigation

As much as possible, we've limited and mitigated the security vulnerabilities from the communication via the BrowserLink script back to Visual Studio. However, some attacks can still be made possible through an XSS attack.

To reduce the possibility of such an XSS attack, by default, WLP blocks all external resources from being loaded. If any external resource is blocked, WLP shows the following toast in the upper-right-hand corner of the designer:

Blocked Resources Toast

(In this example, we use the following SVG, which is an external resource used in a sample web app:

If the Microsoft Edge DevTools window is opened, you may also notice the following message explaining why an external resource failed to load:

Blocked Resources Message DevTools

In the toast of the designer, if you select the click here link, it brings up the following dialog, with the domains of the blocked resources automatically added to the dialog's list:

Allow Domains

Any resources coming from external domains stored in the list of the dialog won't be blocked by default in WLP and loads as usual. After clicking OK, the designer reloads the page and loads any previously blocked resources whose domains were added to the dialog. Make sure that you only allow external domains that you have verified to be trustworthy and safe.

Clicking the Web Live Preview - external domains link in the toast brings up the same dialog, but won't add any of the domains of the blocked resources into the dialog:

Allow Domains without Add

You can also access the dialog through the Tools -> Options -> Web Live Preview -> Allowed external domains during design setting. The dialog settings are per installed instance of Visual Studio.

Tools Options Blocked Resources


Allowing domains to not be blocked by default could expose you to the XSS attack mentioned above. Again, we highly recommend only allowing external domains that you can verify as trustworthy and safe.