Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[net9.0] Update default BlazorWebView host address #24973

Closed
wants to merge 5 commits into from
Closed

[net9.0] Update default BlazorWebView host address #24973

wants to merge 5 commits into from

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Sep 27, 2024
edited by MackinnonBuck
Loading

Backport of #24884 to net9.0

Update default BlazorWebView host address

Changes the BlazorWebView host address to 0.0.0.1 to avoid incompatibility with future browser versions.

Description

There have been reports that MAUI Blazor stopped working in iOS 18 and macOS 15. This was due to BlazorWebView utilizing 0.0.0.0 as a host address, which is blocked in the latest versions of Safari. It was discovered that websites could send requests to 0.0.0.0 as a way to bypass Private Network Access, a standard that restricts websites from sending requests to servers on private networks. Chrome will block access to 0.0.0.0 starting in Chrome 129, and other browsers may soon follow.

This PR changes the default host address in BlazorWebView to 0.0.0.1, which is not blocked by browsers and is not subject to the same security risks.

Some other considered alternatives were:

  1. Using localhost. This has the risk that it may interfere with other applications running on localhost. In fact, the MAUI repo's MacOS automated tests failed when we attempted localhost.
  2. Using a fake host name (so the host address would be, e.g., https://blazor/). Unfortunately, this causes the browser to attempt DNS resolution, which causes the app to take longer to load.

Fixes #24363

Customer Impact

Without this fix, MAUI Blazor apps do not work in iOS 18 and macOS 15, and may soon stop working in Android.

Regression?

  • Yes
  • No

Whether the bug occurs is a factor of the browser version, not the MAUI version.

Risk

  • High
  • Medium
  • Low

We validated manually that all WebView implementations support 0.0.0.1. Automated tests validate this as well. There is no indication that browsers will block 0.0.0.1 in the near future. In case apps are affected by this change and need to revert to using 0.0.0.0, they can do so via an AppContext switch.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@github-actions github-actions bot requested review from a team as code owners September 27, 2024 19:53
@rmarinho rmarinho added the do-not-merge Don't merge this PR label Sep 27, 2024
@rmarinho rmarinho closed this Sep 30, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Oct 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Eilon Eilon Awaiting requested review from Eilon Eilon is a code owner automatically assigned from dotnet/dotnet-maui-reviewers

@jfversluis jfversluis Awaiting requested review from jfversluis jfversluis is a code owner automatically assigned from dotnet/dotnet-maui-reviewers

Assignees
No one assigned
Labels
do-not-merge Don't merge this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rmarinho @MackinnonBuck