7

Forgive me if I am missing something obvious with Blazor, but with the dlls being present in the browser as javascript files would be, is it possible for users to download the dll files and see the execution code by decompiling the files and/or run them out side of the browser?

This seems to present a very clear security concern if developers are not aware that their library code is visible as their javascript code already is.

HighlanderGrogg
  • 156
  • 2
  • 8

2 Answers2

4

Of course they can, those DLLs are just static files served by the Web Server. I'd recommend reading this excellent blog post on how the browser runs those DLLs:

In interpreted mode, the Mono runtime itself is compiled to WebAssembly, but your .NET assembly files are not. The browser can then load and execute the Mono runtime, which in turn can load and execute standard .NET assemblies (regular .NET .dll files) built by the normal .NET compilation toolchain.

If you don't want the user to reverse-engineer (easily) your code, then the answer is code obfuscation. Blazor does not plan to provide such functionality, any standard .NET obfuscator should work. I haven't tried myself, but I'm sure it would be a bumpy road.

Leonardo
  • 2,065
  • 2
  • 26
  • 27
3

Yes indeed.

This is part of the reason why there are 2 Blazor flavors:

  1. Blazor WebAssembly (i.e. client side Blazor)
  2. Blazor Server

Blazor Server apps will only ever respond to the browser with the following file:

  • index.html
  • css
  • blazor.server.js
  • Other usual stuff (e.g. img's fonts, etc)

All the rendering code and other code (your awesome libraries with your awesome code) will run on the server.

Using SignalR, the browser and server will constantly stay in touch (usually via websockets), and whenever the UI needs to change, the server will make calculations and tell the browser how to re-render the UI. All this magic happens in the browser thanks to that blazor.server.js file.

With this pattern, no DLL's are required on the browser

Now, when it comes to Blazor WebAssembly (client side flavor), you probably don't want to deliver to the browser any sensitive proprietary code, etc. Sure, you can always use tools to obfuscate your code, but you probably want to make API calls where possible and have sensitive code run on the server.

Francisco Vilches
  • 3,426
  • 1
  • 15
  • 18
  • So if I am required not to include any binary (.exe, .dll) files Blazor Server is my only option (among the two)? – Gray_Rhino Nov 24 '20 at 10:06
  • 1
    If for e.g. you're dll's contain sensitive proprietary stuff it would be best practice to not have them in the client (i.e. browsers) But hey, this applies to any SPA (React, Vue, etc.). So if you go the Blazor WebAssembly way, design it as you would any other SPA. For biz logic, data access etc. simply call your API. That being said, the Blazor W.A vs Server choice shouldn't be based on the above requirement. e.g. Choose server flavor if need to support IE, need to use full .Net framework, etc. e.g. Choose W.A flavor if you want offline capability, lower server costs, etc. – Francisco Vilches Nov 24 '20 at 10:38
  • I have a relatively simple task where the client should show basic real-time updated data (think of stock price change every second etc...) from the server. Since I am new to all these it's a little confusing to pick the right tools. Thanks a lot for your time and would appreciate if you have any suggestions for my case. – Gray_Rhino Nov 24 '20 at 12:54
  • Another noob question, so the .dll files that are in auto-generated (in bin or obj folders) are also counted? – Gray_Rhino Nov 24 '20 at 13:03
  • gRPC + Blazor would be a good fit for the stock price scenario you mention. If using Blazor server you can use "traditional" gRPC. If using Blazor W.A you could use gRPC-web (it supports server streaming as well). "traditional" gRPC might be a tad easier to implement. Docs: https://learn.microsoft.com/en-us/aspnet/core/grpc/browser – Francisco Vilches Nov 24 '20 at 13:14
  • "so the .dll files that are in auto-generated (in bin or obj folders) are also counted?" answer: easy, open browser, press F12, click on Network tab, browse to your site, Network tab displays all files downloaded – Francisco Vilches Nov 24 '20 at 13:16