Security implications of using IHttpContextAccessor in Blazor Server #27944
Description
The documentation note the following on IHttpContextAccessor:
Additionally, again for security reasons, you must not use IHttpContextAccessor within Blazor apps. Blazor apps run outside of the context of the ASP.NET Core pipeline. The HttpContext isn't guaranteed to be available within the IHttpContextAccessor, nor is it guaranteed to be holding the context that started the Blazor app.
The default HttpContextAccessor is implemented using AsyncLocal:
I fail to understand the security implications of using IHttpContextAccessor in Blazor Server. AsyncLocal in general must flow with the user's SignalR connection†. So that would also be the case for the HttpContext stored in this AsyncLocal. This is also what we're seeing in our tests.
- Under what situations would
IHttpContextAccessorreturn a differentHttpContextthan the one that started the Blazor app? (i.e. another user) - How is this use of
AsyncLocalany different from other uses ofAsyncLocaland (apparently) a security consideration? - How can we pass the originating
HttpContextfrom the "context of the ASP.NET Core pipeline" safely to the Blazor Server app?
† If that isn't the case, then all bets are off.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: ff954815-0f8b-9f1b-9772-1657744b4f9e
- Version Independent ID: ed7d726d-41c6-73d8-d564-91530b4935c3
- Content: Threat mitigation guidance for ASP.NET Core Blazor Server
- Content Source: aspnetcore/blazor/security/server/threat-mitigation.md
- Product: aspnet-core
- Technology: aspnetcore-security
- GitHub Login: @guardrex
- Microsoft Alias: riande
Metadata
Metadata
Assignees
Type
Projects
Status