Blazor project tracking 2024

[guardrex]

2024

History

• Blazor project tracking 2023 (dotnet/AspNetCore.Docs #28001)
• Blazor project tracking 2022 (dotnet/AspNetCore.Docs #24615)
• Blazor project tracking 2021 (dotnet/AspNetCore.Docs #19286)

Doc ideas

Not ALL of these will be worked. This is an idea list/check list that don't rise to the level of opening an issue at this time.

• Include "NuGet package" in nuget.org cross-links to make it clear the link goes to the package and not the namespace/API doc.
• C#12 primary ctors
• Replace in-text (usually non-working) examples with dotnet/blazor-samples-based, fully working, cut-'n-paste examples. Might be best to create a list on an issue first, then I can work down the list.
• Apply form beautification 🌷 to the 8.0 sample app forms.
• Improve auth state provider docs per Improve documentation for blazor authentication aspnetcore#47490.
• Review Dynamic and extensible authentication requests for coverage opportunities [Blazor][Wasm] Dynamic and extensible authentication requests aspnetcore#42580 [Blazor] Dynamic authentication requests aspnetcore#42692
• Bias-free communication sweep https://learn.microsoft.com/en-us/style-guide/bias-free-communication
• Check AuthorizeView coverage for error/API described in ClientID vs SecretID #31119.
• Check on antiforgery with the new standalone WASM w/Identity article scenario.
• There was no time to update the images for the Lazy load assemblies article. Consider bringing dev tools images back for the Complete example section.
• Check again the new guidance on breaking on unhandled exceptions with normal VS in 24Q1. My Preview VS might be funky and not permitting it to work properly. Cross-ref: WASM debug scenario update #30849
• To show and explain anti-request forgery in the File Uploads topic, use some commented-out text held there to enable controller services with AddControllersAndViews and pass the anti-forgery token to the Blazor app (<8.0) or obtain it from the anti-forgery feature (>=8.0) for the POST.
• Update for use of C# Dev Kit: https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csdevkit ... .NET talk is at https://www.youtube.com/watch?v=tFCZw-wZVtg and there's a .NET Conf talk on it Day 1 - 3:45
• Convert the Blazor-EFCore sample app's manual grid to use a GridView.
• With <NotFound> going away for BWA at 8.0, I think a dedicated bit in the Error handling topic on processing 404s via built-in server middleware makes sense (i.e., UseStatusCodePagesWithRedirects). Be sure to search for it because a cross-link is required in at least one case where I left a NOTE about BWAs not using the Not Found content template any longer.
• Root-level cascading values followup items: Root-level cascading values 8.0 #30095
• Custom ICU creation for WASM didn't make the cut for 8.0. It's scheduled for 9.0 now. [browser][icu] Automate custom icu creation runtime#82908
• Per the discussion at Simple Update for state management #29749, consider a more general demo of a state management service that works across clients/circuits.
• The debugging guidance seems to have regressed, perhaps just for .NET 8 preview. There's no file:// pages for debugging on the client.
• I wasn't able to resolve Provide examples/references to avoid unauthorized content display during prerendering #29448 with Provide examples of recommendations #29449 because I can't see how the implementation should be applied in the reader's example app to avoid the reported behavior. Will circle around to this subject with Javier after .NET 8 releases.
• Add nav menu cut-'n-paste snippets for our fully-working demos?
• Revert content (Live content) to a cross-link when Azure Static Web Apps docs get a tutorial/tooling guidance for the new publish from VS gesture. Tracking on Azure docs issue: Document new Blazor WASM SWA VS publishing feature MicrosoftDocs/azure-docs#112013
• Investigate this Artak remark on MIA security remarks: Something wrong with AuthorizationMessageHandler in .net 6 aspnetcore#38486 (comment) UPDATE (5/15): Will wait on this one because the PU issue is triaged for further investigation. UPDATE (7/6): This is currently triaged for 8.0. I'm still monitoring the PU issue.
• Need to keep an 👁️ on WebSockets with Azure Front Door remark in this section. Not supported today, but they might have something 23H1 roll out per https://github.com/MicrosoftDocs/architecture-center/issues/1891#issuecomment-1284754716 and https://feedback.azure.com/d365community/idea/c8b1d257-8a26-ec11-b6e6-000d3a4f0789.
• Although I'm working the Security node passes in February, I'm going to handle one item separately after the passes are finished pertaining to handling refresh tokens from Razor components when a request fails (e.g., Give more info about RefreshToken  #26086). Javier said, "... it involves sending a request to the token endpoint of the OIDC/OAuth provider in the same way you do in a web application." The refresh token is available to components via TokenProvider in the current guidance, so it seems that the component calls a server API to hit up the IdP to renew (and get a new refresh token) with an update to the TokenProvider with the new tokens. The component continues processing transparently (re-initiates the web API call that it was making in the first place) after the server-side work. Cross-refs: Miss a strategy to handle the refresh of tokens #19797 (comment)
  • Especially: How to refresh updated Claims without login out #22405 (comment)
  • ... and because it was never built-into the scaffolder to change the default logout page for Blazor Server: Scaffold different logout for Blazor Server Scaffolding#1423 ... OR, alternatively ...
  • XSRF antiforgery token content exists and the component can pass it to the endpoint because I don't think we want to tell devs to decorate server-side endpoints with @attribute [IgnoreAntiforgeryToken], including for logout. The coverage is at: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/scaffold-identity?view=aspnetcore-7.0&tabs=visual-studio#pass-an-xsrf-token-to-the-app
• Per Steve's .NET Conf talk, shouldn't we briefly cover FileSystem API use in Blazor apps?
• Let's run through the testassets pieces in the framework to see what might be helpful for devs to see in docs. It's a large task tho because there's so much there. This probably can't be worked in 23H1, possibly for 23Q3 tho.
• It would probably be nice to create a QuickGrid example that opens and closes a detail record component without losing the page and scroll position of the grid. For context, see Blazor database example's list page is reloaded when coming back from a details page blazor-samples#58.
• Do we want a cascading param state management example? https://learn.microsoft.com/en-us/aspnet/core/blazor/state-management?view=aspnetcore-6.0&pivots=webassembly#additional-approaches-wasm Blazor: In-memory state container as cascading parameter #27296
• Best to have PU 🐈 look over the SignalR-Blazor enhancements for SignalR config (in the SignalR doc and the WASM/Server Host and Deploy docs) and SignalR client logging (in the Logging doc).
• When Document blazor msbuild configuration options docs#27395 is resolved and Mono/WASM MSBuild props are covered, update the cross-links from the targets file to the new official doc. Links can be located on the PR that added them at Mono/WASM MSBuild property guidance #24493.
• Place element attributes in alphabetical order.

Resolved

• "MS Build" should have no space ... MSBuild. Remove space in "MS Build" #32485
• Check this Graph SDK v5 update #30792 to make sure the v5 code works. I think it will, but it's best to confirm it. I won't check it tho if Philip Reed gets back to me that it worked for him. Resolved by Graph scopes clarification and addl updates #32108.
• There are some Razor code rendering problems that should be reported. Done! Via email DR is aware and said he'll try again to get it improved.
• Preview notice in BWA+OIDC BFF pattern. UPDATE: Taken care of on an earlier PR.
• Update INCLUDEs for introductions WRT the examples going into the sample apps. INCLUDES removed, so no longer a concern.
• Find XXX.Count() > 0 and swap for .Any(). Swap .Any() for .Count() #33475.
• CODEOWNERS file updates for Blazor docs outside of the Blazor node. CODEOWNERS for Blazor docs #33478
• Blazor scaffolder location change in VS UI. Blazor scaffolder VS location change #33481
• Update the Blazor CRUD scaffolder to use IDbContextFactory instead of injecting the DbContext directly in to components ... Update the Blazor CRUD scaffolder to use IDbContextFactory instead of injecting the DbContext directly in to components Scaffolding#2693 Done! per the tutorial updates prior to merging the PR.
• Promote NOTE on 'Avoid using a loop variable directly in a lambda expression' in Images and Documents article to article text. Promote NOTE to article text #33483
• Merge Remove Blazor Server SignalR sample blazor-samples#303 after open PRs are merged. Done!
• Bad phrase in the QR code doc: "placeholder is where the site (company) name" ... needs "goes" at the end. Improve site (company) name setting coverage #33485
• Use "session affinity" instead of "sticky sessions," but call out that "sticky sessions" is also a commonly-used term. Use "session affinity" terminology #33487
• Confirm Blazor docs use "Native AOT" ... not "native AOT." Native AOT capitalization #33498
• Confirm that "Razor Class Library" (proper noun) is only used for text that refers to the project template. All other instances should use adjective capitalization ("Razor class library"). This should already be the case, so hopefully few or no 😈 have gotten into the docs over the years. RCL casing #33500 (only found in non-Blazor docs)
• Convert table format over to the simplified structure without opening and closing pipes (|). Table formatting #33560
• Analyze where/how "by default" is used in Blazor docs. Eliminate it spots where it isn't necessary. Also, confirm affirmative reasons for because subordinate conjunctions. Language updates #33587
• "Data Protection" should be capitalized when referring directly to the ASP.NET Core feature (service). Update to proper noun #33607
• RP/MVC tutorial movie attributions ... I don't think that they're present. UPDATE: Email sent to doc 🐈 🐈🐈.
• Mirror stronger remarks in Provide stronger guidance for using identity cookies over tokens for security #32994 for https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-identity. Stronger guidance for using Identity cookies #33610
• Main doc set: The HTTPS Redirection Middleware says "always" redirects, but that's not exactly right ... it's if there's an HTTPS port available that it always redirects. Clarify middleware activation #33613
• I made the Blazor script placeholder lines BOLD on Highlight placeholder line #31318 for the SignalR config doc. Do that everywhere across the Blazor docs. Enhance placeholder lines #33615
• Naming: Check/change from 'Blazor WebAssembly runtime" or just "WebAssembly runtime" to ".NET WebAssembly" runtime. Update WASM runtime naming #33617
• Make sure that @using static Microsoft.AspNetCore.Components.Web.RenderMode is in all of the 8.0+ _Imports.razor files. Per Integration article updates #31445. Confirmed OK! 👍 No action needed.
• It's desirable to identify whether the request is GET or POST in OnInitialized or OnParametersSetAsync blazor ssr form processing issues aspnetcore#51978 PR: Initialize form data with static SSR #33630
• For the RCL case in https://learn.microsoft.com/en-us/aspnet/core/blazor/javascript-interoperability/?view=aspnetcore-8.0#load-a-script-from-an-external-javascript-file-js, it shouldn't break using ./, but shouldn't we remove the ./ in the general case? Directory path notation (./) for RCL assets #33632
• Noting from a passing message because I don't think we cover it ... Does await base.OnAfterRenderAsync(firstRender); need to be called? No, we try to avoid making people call base on ComponentBase virtual methods. They can call it if they want but it’s a no-op. Covered! It was addressed on two PRs I believe within the last year or two.
• Check on "anti-forgery" vs. "antiforgery" ... the style manual uses "antiforgery" (no hyphen), but Chicago calls for it IIRC. We mostly seem to use the hyphen with it. Dehyphenate "anti-forgery" #33634
• Confer with Artak on the correct PU group to add to the dotnet/blazor-samples repo. Check for (and send) empty body on log out post. blazor-samples#136 Resolved! 👍
• Skipping API doc crosslinks for the Routing article because there's a large open PR on it. Circle back to it later. Routing article updates #33644
• Check on "interactive <Router> (or routing or router)" language for cross-links to new guidance in the Fundamentals > Routing article. Routing article updates #33644
• Check on places where the main (non-.Client) project is mentioned for BWAs and confirm that they're all described as the "server project." Checked! ... and seems ok.
• Check back in 24Q1 on the doc Razor code formatting problem reported in Incorrect code formatting in Tab.razor example #30157. Discussed with Dan offline.
• Component param example for How to render a matrix correctly in Blazor? aspnetcore#49945 (comment). Enhance loop variable rendering coverage #33648
• _/this all the things ... Fix naming violations in sample code (_camelCase with underscore for private fields) #30533 (comment). Blazor conventions updates #33652
• Consider moving the component example in Handle caught exceptions outside of a Razor component's lifecycle into the sample apps. For an alternative approach, see DispatchException sample blazor-samples#186. Nah! ... Let's go with what we have. WRT moving the sample to the sample app, let's leave it in place in the article for now.
• Keeping an 👁️ on Question/request for documentation on .NET WASM runtime env vars runtime#98225 for an additional update to Startup article guidance in the Configure the .NET WebAssembly runtime section. Add link to runtime doc request issue #33658 ... Cross-link the issue that I opened for now. Will update text when they place docs.
• Azure docs will host content+samples(s) for BWA+MS Identity Web+Azure hosting. Check back and cross-link to their new content when it appears. Blazor Web App with OIDC article #31555 (comment) UPDATE: Seems that the project template is going to produce this. If we carry a sample app/article, it will be determined by and opened in relation to .NET 9 coverage at RC2. It's tracked by the .NET 9 tracking issue.
• Consider Remove/update enhanced nav remark #31118 (comment) for coverage in 24H1. UPDATE: Per Mackinnon's remarks, let's NOT do anything about this at this time. He basically says that if they feel coverage is needed that they'll let me know.
• For the Standalone WASM w/Identity article+sample: Swap IdentityUser for AppUser -AND- I need to cross-link in the article's remark for "advanced Identity features" to whatever the main doc set is going to have on the subject in the SPA/Identity docs. SPA authentication and authorization doc #31010 (comment) UPDATE: The cross-link is already there, and we'll keep AppUser because the sample+article now manages user roles added to IdentityUser.
• Custom auth state provider refactor to include WASM coverage. Authentication state updates #33668

HOLD Key Vault code for BWA+OIDC and BWA+MS Identity Web articles ...

private string GetSecretFromKeyVault(string tenantId, string secretName)
{
    // this should point to your vault's URI, like https://<yourkeyvault>.vault.azure.net/
    string uri = Environment.GetEnvironmentVariable("KEY_VAULT_URI");
    DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions();

    // Specify the tenant ID to use the dev credentials when running the app locally
    options.VisualStudioTenantId = tenantId;
    options.SharedTokenCacheTenantId = tenantId;
    SecretClient client = new SecretClient(new Uri(uri), new DefaultAzureCredential(options));

    // The secret name, for example if the full url to the secret is https://<yourkeyvault>.vault.azure.net/secrets/ENTER_YOUR_SECRET_NAME_HERE
    Response<KeyVaultSecret> secret = client.GetSecretAsync(secretName).Result;

    return secret.Value.Value;
}

// uncomment the following 3 lines to get ClientSecret from KeyVault
//string tenantId = Configuration.GetValue<string>("AzureAd:TenantId");
//services.Configure<MicrosoftIdentityOptions>(
//   options => { options.ClientSecret = GetSecretFromKeyVault(tenantId, "ENTER_YOUR_SECRET_NAME_HERE"); });

Cross-ref: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/Startup.cs

PU review items

Steve:

• API of last paragraph in https://learn.microsoft.com/en-us/aspnet/core/blazor/components/render-components-outside-of-aspnetcore?view=aspnetcore-8.0.

Halter:

• Halter to review this section.
• Confirm scope and authority guidance in the BWA+OIDC article that was added on 3/26 on Update scope/authority guidance in BWA+OIDC article #32149.
• Ask Javier about https://github.com/dotnet/aspnetcore/blob/main/src/Components/test/testassets/BasicTestApp/MarkupBlockComponent.razor#L37C21-L37C37 because we say in the Threat Mitigation topic not to use builder.AddMarkupContent(0, someUserSuppliedString) because it can create an XSS vulnerability.

Mackinnon:

• Confirm language on interactive SSR components in the Pages folder of the .Client project.
• Put an 👁️ on one line in particular in the prerendering with JS interop INCLUDE file: An infinite loop isn't created because StateHasChanged is only called when scrollPosition is null.
• Review of the new section on custom input components at https://learn.microsoft.com/en-us/aspnet/core/blazor/forms/binding?view=aspnetcore-8.0#custom-input-components.
• Review of https://learn.microsoft.com/en-us/aspnet/core/blazor/images-and-documents
• Confirm addHandlers module FN approach for wiring up event handlers.
• When he's free, check on the param expression bit added by Bound field or property expression convention #32511.
• The framework does what we say devs aren't supposed to do on transient disposables for IHttpClientFactory/HttpClient.
• Why I couldn't load a script via control of <head> content for the JS collocation example. <HeadContent><script src="./Components/Pages/JsCollocation1.razor.js"></script></HeadContent>
• Check on the namespace section in the Components overview.
• Check on the "In components derived from the base class" bit in the DI topic. It doesn't make sense. It might be incorrect.
• Review of the new example at Fundamentals > DI > Utility base component classes to manage a DI scope section.
• The WHY aspects on MSBuild properties for hosted deployment options #26620 (comment). I'd like to know why the RID works with the MSBuild prop (/p:RuntimeIdentifier={RID} but the self-contained setting doesn't (/p:SelfContained=false).
• Review the code for streaming <textarea> content in a form of Message size limit enhancements #29541. Live
• Ask about https://docs.microsoft.com/en-us/aspnet/core/blazor/components/dynamiccomponent?view=aspnetcore-6.0 per Update event callback approach #26557. Is this the best way to showcase event callbacks with dynamic components?
• In UserClaims components (and perhaps a few other spots) the code for a collection displayed in the UI can can have the collection be assigned an empty value or left nullable with an additional Razor nullable check. Which is best? There's a text file on the desktop with the code either way.
• Do we need to assess all Blazor examples where tasks are awaited looking for spots where it would be more appropriate to avoid resuming with the context (ConfigureAwait(false))?

UE pass tracking

• Debug WebAssembly — Resolve 👉 Something is missing in this instructions on how to debug a Blazor Webassembly hosted. #23373 ... and we'll probably need to show full files everywhere we refer to tasks.json/launch.json due to Errors when running .net generate assets to build .vscode folder vscode-csharp#4542. See 👉 small clarification #23777
• WebAssembly native dependencies
• Test components - Specifically, let's consider hosting example component tests for WASM and Server (TestServer). Missing example on how to use TestServer with ASP.NET 6 #25263
• Host and deploy: Apache for hosted WASM/sub-app scenarios might need more work. See 👉 Blazor Linux hosting #24519 (comment).
  • Overview — Perhaps for Routing, too, but clarify the navigation behavior of NavigationManager.NavigateTo. See :point-right: Use relative path in NavigateTo #22146 (comment).
  • Blazor Server — See 👉 Publishing Blazor to IIS from Visual Studio #21226
  • Blazor WebAssembly — See 👉 Revert to minified Google Brotli script in Blazor WASM hosting #19979 and Virus Detected! #21829 (comment) and validate web.config post PR Remove .wasm file extension before redefining it #24950 and in light of discussion on https://stackoverflow.com/a/69888016 and https://stackoverflow.com/a/70967738. Probably add a tagged SO filter link: https://stackoverflow.com/questions/tagged/blazor+iis+compression
  • WebAssembly deployment layout
• Blazor Server and EF Core — Consider using the QuickGrid now that it's a supported part of the framework.

UE pass tracking

Articles that could benefit from the 🦖 Rex Treatment™ 🦖 ...

• Security node for 8.0/BWA/Identity components
• Blazor Server and EF Core
• Call web API topic: I'd like to divorce this from the main doc set's web API article in favor of a small Minimal APIs-based web API app for the experiences in the topic. I think churn on the main doc set article may have broken the cut-'n-paste, fully working examples that I have. I either need to update the examples to match the latest guidance in the web API article or place a dedicated app example in this topic, and I favor the latter because of on-going web API article churn ... this is a fragile 💥 setup because I don't maintain both articles.
• File Uploads article
• File Downloads article
• Test article
• PWA article
• Performance best practices article
• State Management article
• Virtualization article: Blazor Virtualize Docs Are Confusing #27537
• Blazor Hybrid
  • Overview
  • Tutorials
    • Overview
    • .NET MAUI
    • Windows Forms
    • WPF
  • Routing and navigation
  • Static files
  • Dev Tools
  • Reuse components

New for 8.0 ...

• ASP.NET Core Razor class libraries (RCLs) with static server-side rendering (static SSR)
• Integrate ASP.NET Core Razor components into ASP.NET Core apps
• Prerender ASP.NET Core Razor components
• Render Razor components outside of ASP.NET Core
• ASP.NET Core Blazor render modes
• ASP.NET Core Blazor sections
• Troubleshoot ASP.NET Core Blazor Hybrid
• ASP.NET Core Blazor JavaScript with static server-side rendering (static SSR)
• Threat mitigation guidance for ASP.NET Core Blazor static server-side rendering
• Secure ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity