Skip to content

Prevent browser refresh script from injecting into iframes #21954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 11, 2021
Merged

Prevent browser refresh script from injecting into iframes #21954

merged 1 commit into from
Oct 11, 2021

Conversation

@pranavkm
Copy link
Contributor

@pranavkm pranavkm commented Oct 11, 2021
edited
Loading

The aspnet-browser-refresh.js script is injected in to documents that appear to destined to be displayed in the browser. As part of dotnet/aspnetcore#37326, we realized the script was being added to an iframe that appears in the background. (We only found this because the particular page being served uses CSP that is designed to prevent modifications). Even if amending the script had succeeded in this case, VS which uses this code currently does not support having multiple instances of the script calling back.

The fix is to avoid injecting the scripts in responses that are clearly not destined for a visible browser document.

Partly fixes dotnet/aspnetcore#37326

Customer impact

Warnings in the browser console when running F5 / Ctrl-F5 on a React or Angular project template

Testing

  • Added unit tests
  • Verified the E2E manually

Risk

Low

@ghost ghost added the Area-AspNetCore RazorSDK, BlazorWebAssemblySDK, dotnet-watch label Oct 11, 2021
@pranavkm pranavkm requested a review from a team October 11, 2021 20:20
SteveSandersonMS
SteveSandersonMS reviewed Oct 11, 2021
View reviewed changes
src/BuiltInTools/BrowserRefresh/BrowserRefreshMiddleware.cs

if (request.Headers.TryGetValue("Sec-Fetch-Dest", out var values) &&
!StringValues.IsNullOrEmpty(values) &&
!string.Equals(values[0], "document", StringComparison.OrdinalIgnoreCase))
Copy link
Member

@SteveSandersonMS SteveSandersonMS Oct 11, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec doesn't talk about any other casing than document so strictly speaking I think this could be StringComparison.Ordinal. However I can't think of any real drawback to doing a case-insensitive check.

SteveSandersonMS
SteveSandersonMS approved these changes Oct 11, 2021
View reviewed changes
Copy link
Member

@SteveSandersonMS SteveSandersonMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

Do you know if there's a specific plan to fix this for browser link too? That's equally problematic.

@pranavkm
Copy link
Contributor Author

pranavkm commented Oct 11, 2021

I'll file a VS issue and follow up with @jodavis about getting it resolved there.

@pranavkm pranavkm merged commit cc16527 into release/6.0.1xx Oct 11, 2021
@pranavkm pranavkm deleted the prkrishn/fix-37326 branch October 11, 2021 23:12
@mkArtakMSFT mkArtakMSFT added this to the 6.0.1xx milestone Oct 12, 2021
@pranavkm pranavkm mentioned this pull request Oct 12, 2021
Closed
@coryjthompson coryjthompson mentioned this pull request Jan 11, 2024
Merged
@jsakamoto jsakamoto mentioned this pull request Sep 25, 2025
Closed
Copilot AI mentioned this pull request Sep 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SteveSandersonMS SteveSandersonMS SteveSandersonMS approved these changes

Assignees

No one assigned

Labels

Area-AspNetCore RazorSDK, BlazorWebAssemblySDK, dotnet-watch Servicing-approved

Projects

None yet

Milestone

6.0.1xx

Development

Successfully merging this pull request may close these issues.

5 participants

@pranavkm @SteveSandersonMS @dougbu @mkArtakMSFT