Prevent browser refresh script from injecting into iframes (#21954)

Fixes dotnet/aspnetcore#37326

Author: pranavkm

src/BuiltInTools/BrowserRefresh/BrowserRefreshMiddleware.cs

@@ -7,6 +7,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
 using Microsoft.Net.Http.Headers;
 
 namespace Microsoft.AspNetCore.Watch.BrowserRefresh
@@ -23,7 +24,7 @@ public BrowserRefreshMiddleware(RequestDelegate next, ILogger<BrowserRefreshMidd
         public async Task InvokeAsync(HttpContext context)
         {
             // We only need to support this for requests that could be initiated by a browser.
-            if (IsBrowserRequest(context))
+            if (IsBrowserDocumentRequest(context))
             {
                 // Use a custom StreamWrapper to rewrite output on Write/WriteAsync
                 using var responseStreamWrapper = new ResponseStreamWrapper(context, _logger);
@@ -57,16 +58,25 @@ public async Task InvokeAsync(HttpContext context)
             }
         }
 
-        internal static bool IsBrowserRequest(HttpContext context)
+        internal static bool IsBrowserDocumentRequest(HttpContext context)
         {
             var request = context.Request;
             if (!HttpMethods.IsGet(request.Method) && !HttpMethods.IsPost(request.Method))
             {
                 return false;
             }
 
+            if (request.Headers.TryGetValue("Sec-Fetch-Dest", out var values) &&
+                !StringValues.IsNullOrEmpty(values) &&
+                !string.Equals(values[0], "document", StringComparison.OrdinalIgnoreCase))
+            {
+                // See https://github.com/dotnet/aspnetcore/issues/37326.
+                // Only inject scripts that are destined for a browser page.
+                return false;
+            }
+
             var typedHeaders = request.GetTypedHeaders();
-            if (!(typedHeaders.Accept is IList<MediaTypeHeaderValue> acceptHeaders))
+            if (typedHeaders.Accept is not IList<MediaTypeHeaderValue> acceptHeaders)
             {
                 return false;
             }

src/Tests/Microsoft.AspNetCore.Watch.BrowserRefresh.Tests/BrowserRefreshMiddlewareTest.cs

@@ -16,7 +16,7 @@ public class BrowserRefreshMiddlewareTest
         [InlineData("DELETE")]
         [InlineData("head")]
         [InlineData("Put")]
-        public void IsBrowserRequest_ReturnsFalse_ForNonGetOrPostRequests(string method)
+        public void IsBrowserDocumentRequest_ReturnsFalse_ForNonGetOrPostRequests(string method)
         {
             // Arrange
             var context = new DefaultHttpContext
@@ -32,14 +32,14 @@ public void IsBrowserRequest_ReturnsFalse_ForNonGetOrPostRequests(string method)
             };
 
             // Act
-            var result = BrowserRefreshMiddleware.IsBrowserRequest(context);
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
 
             // Assert
             Assert.False(result);
         }
 
         [Fact]
-        public void IsBrowserRequest_ReturnsFalse_IsRequestDoesNotAcceptHtml()
+        public void IsBrowserDocumentRequest_ReturnsFalse_IsRequestDoesNotAcceptHtml()
         {
             // Arrange
             var context = new DefaultHttpContext
@@ -55,14 +55,14 @@ public void IsBrowserRequest_ReturnsFalse_IsRequestDoesNotAcceptHtml()
             };
 
             // Act
-            var result = BrowserRefreshMiddleware.IsBrowserRequest(context);
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
 
             // Assert
             Assert.False(result);
         }
 
         [Fact]
-        public void IsBrowserRequest_ReturnsTrue_ForGetRequestsThatAcceptHtml()
+        public void IsBrowserDocumentRequest_ReturnsTrue_ForGetRequestsThatAcceptHtml()
         {
             // Arrange
             var context = new DefaultHttpContext
@@ -78,14 +78,14 @@ public void IsBrowserRequest_ReturnsTrue_ForGetRequestsThatAcceptHtml()
             };
 
             // Act
-            var result = BrowserRefreshMiddleware.IsBrowserRequest(context);
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
 
             // Assert
             Assert.True(result);
         }
 
         [Fact]
-        public void IsBrowserRequest_ReturnsTrue_ForRequestsThatAcceptAnyHtml()
+        public void IsBrowserDocumentRequest_ReturnsTrue_ForRequestsThatAcceptAnyHtml()
         {
             // Arrange
             var context = new DefaultHttpContext
@@ -101,12 +101,112 @@ public void IsBrowserRequest_ReturnsTrue_ForRequestsThatAcceptAnyHtml()
             };
 
             // Act
-            var result = BrowserRefreshMiddleware.IsBrowserRequest(context);
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
 
             // Assert
             Assert.True(result);
         }
 
+        [Fact]
+        public void IsBrowserDocumentRequest_ReturnsTrue_IfRequestDoesNotHaveFetchMetadataRequestHeader()
+        {
+            // Arrange
+            var context = new DefaultHttpContext
+            {
+                Request =
+                {
+                    Method = "GET",
+                    Headers =
+                    {
+                        ["Accept"] = "text/html",
+                    },
+                },
+            };
+
+            // Act
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
+
+            // Assert
+            Assert.True(result);
+        }
+
+        [Fact]
+        public void IsBrowserDocumentRequest_ReturnsTrue_IfRequestFetchMetadataRequestHeaderIsEmpty()
+        {
+            // Arrange
+            var context = new DefaultHttpContext
+            {
+                Request =
+                {
+                    Method = "Post",
+                    Headers =
+                    {
+                        ["Accept"] = "text/html",
+                        ["Sec-Fetch-Dest"] = string.Empty,
+                    },
+                },
+            };
+
+            // Act
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
+
+            // Assert
+            Assert.True(result);
+        }
+
+        [Theory]
+        [InlineData("document")]
+        [InlineData("Document")]
+        public void IsBrowserDocumentRequest_ReturnsTrue_IfRequestFetchMetadataRequestHeaderIsDocument(string headerValue)
+        {
+            // Arrange
+            var context = new DefaultHttpContext
+            {
+                Request =
+                {
+                    Method = "Post",
+                    Headers =
+                    {
+                        ["Accept"] = "text/html",
+                        ["Sec-Fetch-Dest"] = headerValue,
+                    },
+                },
+            };
+
+            // Act
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
+
+            // Assert
+            Assert.True(result);
+        }
+
+        [Theory]
+        [InlineData("frame")]
+        [InlineData("iframe")]
+        [InlineData("serviceworker")]
+        public void IsBrowserDocumentRequest_ReturnsFalse_IfRequestFetchMetadataRequestHeaderIsNotDocument(string headerValue)
+        {
+            // Arrange
+            var context = new DefaultHttpContext
+            {
+                Request =
+                {
+                    Method = "Post",
+                    Headers =
+                    {
+                        ["Accept"] = "text/html",
+                        ["Sec-Fetch-Dest"] = headerValue,
+                    },
+                },
+            };
+
+            // Act
+            var result = BrowserRefreshMiddleware.IsBrowserDocumentRequest(context);
+
+            // Assert
+            Assert.False(result);
+        }
+
         [Fact]
         public async Task InvokeAsync_AddsScriptToThePage()
         {