Store non-sensitive UI state without protection#5434
Merged
Conversation
JamesNK
commented
Aug 26, 2024
drewnoakes
approved these changes
Aug 26, 2024
Member
drewnoakes
left a comment
drewnoakes
left a comment
There was a problem hiding this comment.
Approved, assuming the security review is completed before merge.
Comment on lines
+41
to
+45
| private ValueTask SetJsonAsync(string key, string json) | ||
| => _jsRuntime.InvokeVoidAsync("localStorage.setItem", key, json); | ||
|
|
||
| private ValueTask<string?> GetJsonAsync(string key) | ||
| => _jsRuntime.InvokeAsync<string?>("localStorage.getItem", key); |
Member
There was a problem hiding this comment.
These two methods return ValueTask. I'm not sure how often these would return completed tasks, but perhaps we also use value tasks on the new methods on ILocalStorage.
Member
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Member
Author
Done over email |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Some UI state is stored in protected browser storage: details orientation and size.
Unfortunately protected storage becomes unusable if the dashboard's data protection keys change. This can happen if the dashboard is launched from a docker container (each run has new keys). I've also seen it when updating Aspire version - perhaps the dashboard being located in a different place or a different file name causes new keys? IDK.
The fix is to store long term (localStorage) non-sensitive state without protected. Values will be remembered between runs, and there won't be errors silently thrown in the background when attempting to unencrpyt and failing.
Short term storage (sessionStorage) that is used to store potentially sensitive page data still only allows storage with protection.
I'll double check this is safe with Blazor and security folks.
Fixes #4949
Checklist
<remarks />and<code />elements on your triple slash comments?Microsoft Reviewers: Open in CodeFlow