From b94db87a126fd5a9febf19e450a9cadbeb976966 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 20 Mar 2024 11:10:19 -0400
Subject: [PATCH 1/3] Surface warning on compression for interactive SSR

---
 aspnetcore/blazor/components/index.md                     | 2 ++
 aspnetcore/blazor/fundamentals/routing.md                 | 2 ++
 .../blazor/includes/compression-with-untrusted-data.md    | 6 ++++++
 aspnetcore/blazor/javascript-interoperability/index.md    | 8 ++++++++
 .../security/server/interactive-server-side-rendering.md  | 4 ++--
 5 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 aspnetcore/blazor/includes/compression-with-untrusted-data.md

diff --git a/aspnetcore/blazor/components/index.md b/aspnetcore/blazor/components/index.md
index c006c796de05..0c1e97ad11a2 100644
--- a/aspnetcore/blazor/components/index.md
+++ b/aspnetcore/blazor/components/index.md
@@ -1112,6 +1112,8 @@ For more information, see the *Route parameters* section of <xref:blazor/fundame
 
 :::moniker-end
 
+[!INCLUDE[](~/includes/compression-with-untrusted-data.md)]
+
 ## Child content render fragments
 
 Components can set the content of another component. The assigning component provides the content between the child component's opening and closing tags.
diff --git a/aspnetcore/blazor/fundamentals/routing.md b/aspnetcore/blazor/fundamentals/routing.md
index e57e7518e6ca..484031e4ae7f 100644
--- a/aspnetcore/blazor/fundamentals/routing.md
+++ b/aspnetcore/blazor/fundamentals/routing.md
@@ -1010,6 +1010,8 @@ Supported types include:
 * Nullable variants of the preceding types.
 * Arrays of the preceding types, whether they're nullable or not nullable.
 
+[!INCLUDE[](~/includes/compression-with-untrusted-data.md)]
+
 ### Replace a query parameter value when the parameter exists
 
 ```csharp
diff --git a/aspnetcore/blazor/includes/compression-with-untrusted-data.md b/aspnetcore/blazor/includes/compression-with-untrusted-data.md
new file mode 100644
index 000000000000..c6c5bbcd4f38
--- /dev/null
+++ b/aspnetcore/blazor/includes/compression-with-untrusted-data.md
@@ -0,0 +1,6 @@
+:::moniker range=">= aspnetcore-9.0"
+
+> [!WARNING>]
+> When compression is enabled, avoid creating secure (authenticated/authorized) interactive server-side rendered components that render data from untrusted sources. Untrusted sources include route parameters, query strings, data from JS interop, and any other source of data that a third-party user can control (databases, external services). For more information, see <xref:blazor/fundamentals/signalr#websocket-compression-for-interactive-server-components> and <xref:blazor/security/server/interactive-server-side-rendering?view=aspnetcore-9.0#interactive-server-components-with-websocket-compression-enabled>.
+
+:::moniker-end
diff --git a/aspnetcore/blazor/javascript-interoperability/index.md b/aspnetcore/blazor/javascript-interoperability/index.md
index 19ddf54246fc..331ccebb9fe8 100644
--- a/aspnetcore/blazor/javascript-interoperability/index.md
+++ b/aspnetcore/blazor/javascript-interoperability/index.md
@@ -28,6 +28,14 @@ Further JS interop guidance is provided in the following articles:
 
 :::moniker-end
 
+:::moniker range=">= aspnetcore-9.0"
+
+## Compression for interactive server components with untrusted data
+
+:::moniker-end
+
+[!INCLUDE[](~/includes/compression-with-untrusted-data.md)]
+
 ## JavaScript interop abstractions and features package
 
 The [`@microsoft/dotnet-js-interop` package (`npmjs.com`)](https://www.npmjs.com/package/@microsoft/dotnet-js-interop) ([`Microsoft.JSInterop` NuGet package](https://www.nuget.org/packages/Microsoft.JSInterop)) provides abstractions and features for interop between .NET and JavaScript (JS) code. Reference source is available in the [`dotnet/aspnetcore` GitHub repository (`/src/JSInterop` folder)](https://github.com/dotnet/aspnetcore/tree/main/src/JSInterop). For more information, see the GitHub repository's `README.md` file.
diff --git a/aspnetcore/blazor/security/server/interactive-server-side-rendering.md b/aspnetcore/blazor/security/server/interactive-server-side-rendering.md
index ee2b12833f0b..8f71dbbb86b7 100644
--- a/aspnetcore/blazor/security/server/interactive-server-side-rendering.md
+++ b/aspnetcore/blazor/security/server/interactive-server-side-rendering.md
@@ -29,7 +29,7 @@ In constrained environments, such as inside corporate networks or intranets, som
 
 ## Interactive Server Components with WebSocket compression enabled
 
-Compression can expose the app to side-channel attacks against the TLS encryption of the connection, such as [CRIME](https://wikipedia.org/wiki/CRIME_(security_exploit)) and [BREACH](https://wikipedia.org/wiki/BREACH_(security_exploit)) attacks. These types of attacks require that the attacker:
+[Compression](xref:blazor/fundamentals/signalr#websocket-compression-for-interactive-server-components) can expose the app to side-channel attacks against the TLS encryption of the connection, such as [CRIME](https://wikipedia.org/wiki/CRIME_(security_exploit)) and [BREACH](https://wikipedia.org/wiki/BREACH_(security_exploit)) attacks. These types of attacks require that the attacker:
 
 * Force a browser to issue requests with a payload the attacker controls to a vulnerable site via cross-site form posting or by embedding the site inside an iframe of another site.
 * Observe the length of the compressed and encrypted response over the network.
@@ -52,7 +52,7 @@ Generally speaking, Blazor apps can enable compression over the WebSocket connec
 
   * Rendering PII information on to the page at the same time as data coming from another user via JS interop or a local singleton service on the server.
 
-In general, we recommend that you avoid rendering components that contain sensitive information alongside components that can render data from untrusted sources as part of the same render batch.
+In general, we recommend that you avoid rendering components that contain sensitive information alongside components that can render data from untrusted sources as part of the same render batch. Untrusted sources include route parameters, query strings, data from JS interop, and any other source of data that a third-party user can control (databases, external services).
 
 :::moniker-end
 

From e3f7bcfb8f09ed4c48ef2972b9f24c8977d6497f Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 20 Mar 2024 11:19:54 -0400
Subject: [PATCH 2/3] Updates

---
 aspnetcore/blazor/components/index.md                  | 2 +-
 aspnetcore/blazor/fundamentals/routing.md              | 2 +-
 aspnetcore/blazor/javascript-interoperability/index.md | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/aspnetcore/blazor/components/index.md b/aspnetcore/blazor/components/index.md
index 0c1e97ad11a2..04788994d7ff 100644
--- a/aspnetcore/blazor/components/index.md
+++ b/aspnetcore/blazor/components/index.md
@@ -1112,7 +1112,7 @@ For more information, see the *Route parameters* section of <xref:blazor/fundame
 
 :::moniker-end
 
-[!INCLUDE[](~/includes/compression-with-untrusted-data.md)]
+[!INCLUDE[](~/blazor/includes/compression-with-untrusted-data.md)]
 
 ## Child content render fragments
 
diff --git a/aspnetcore/blazor/fundamentals/routing.md b/aspnetcore/blazor/fundamentals/routing.md
index 484031e4ae7f..0e11abfcd989 100644
--- a/aspnetcore/blazor/fundamentals/routing.md
+++ b/aspnetcore/blazor/fundamentals/routing.md
@@ -1010,7 +1010,7 @@ Supported types include:
 * Nullable variants of the preceding types.
 * Arrays of the preceding types, whether they're nullable or not nullable.
 
-[!INCLUDE[](~/includes/compression-with-untrusted-data.md)]
+[!INCLUDE[](~/blazor/includes/compression-with-untrusted-data.md)]
 
 ### Replace a query parameter value when the parameter exists
 
diff --git a/aspnetcore/blazor/javascript-interoperability/index.md b/aspnetcore/blazor/javascript-interoperability/index.md
index 331ccebb9fe8..29f5c4d69c4d 100644
--- a/aspnetcore/blazor/javascript-interoperability/index.md
+++ b/aspnetcore/blazor/javascript-interoperability/index.md
@@ -34,7 +34,7 @@ Further JS interop guidance is provided in the following articles:
 
 :::moniker-end
 
-[!INCLUDE[](~/includes/compression-with-untrusted-data.md)]
+[!INCLUDE[](~/blazor/includes/compression-with-untrusted-data.md)]
 
 ## JavaScript interop abstractions and features package
 

From 0a49270dc0650f69a1d961589060b999c872218e Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 20 Mar 2024 11:31:24 -0400
Subject: [PATCH 3/3] Updates

---
 aspnetcore/blazor/includes/compression-with-untrusted-data.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/blazor/includes/compression-with-untrusted-data.md b/aspnetcore/blazor/includes/compression-with-untrusted-data.md
index c6c5bbcd4f38..d7d547ef8fe6 100644
--- a/aspnetcore/blazor/includes/compression-with-untrusted-data.md
+++ b/aspnetcore/blazor/includes/compression-with-untrusted-data.md
@@ -1,6 +1,6 @@
 :::moniker range=">= aspnetcore-9.0"
 
 > [!WARNING>]
-> When compression is enabled, avoid creating secure (authenticated/authorized) interactive server-side rendered components that render data from untrusted sources. Untrusted sources include route parameters, query strings, data from JS interop, and any other source of data that a third-party user can control (databases, external services). For more information, see <xref:blazor/fundamentals/signalr#websocket-compression-for-interactive-server-components> and <xref:blazor/security/server/interactive-server-side-rendering?view=aspnetcore-9.0#interactive-server-components-with-websocket-compression-enabled>.
+> With compression, which is enabled by default, avoid creating secure (authenticated/authorized) interactive server-side components that render data from untrusted sources. Untrusted sources include route parameters, query strings, data from JS interop, and any other source of data that a third-party user can control (databases, external services). For more information, see <xref:blazor/fundamentals/signalr#websocket-compression-for-interactive-server-components> and <xref:blazor/security/server/interactive-server-side-rendering?view=aspnetcore-9.0#interactive-server-components-with-websocket-compression-enabled>.
 
 :::moniker-end