Add ability to use maui-blazor from http context

[sake402]

Description

Currently maui-blazor run in a browser client with url https://0.0.0.0. This makes it difficult to reference external url with http scheme due to browser security.

Public API Changes

Would love to be able configure builder.RegisterBlazorMauiWebView() to allow the url for the dom to be http instead of https.

Possibly like

builder.RegisterBlazorMauiWebView(options => options.SSL = false)

Intended Use-Case

In our case we are fetching external data from url that doesn't not have https at all

[Eilon]

@sake402 is this for displaying web assets directly from HTML, such as <img src="http://www.example.com/image.jpg" />? Or is this for the app making outgoing HTTP requests using something like HttpClient?

It should be noted that HTTP is not a secure protocol in any sense, so it is strongly discouraged to be used in any scenario at all. HTTP requests are vulnerable to many kinds of attacks.

[sake402]

@Eilon Yes for assets.

But In our case, we don't have control over the url of these assets as the source does not support https;

[Eilon]

@sake402 got it, thank you for clarifying.

[ghost]

We've moved this issue to the Future milestone. This means that it is not going to be worked on for the coming release. We will reassess the issue following the current release and consider this item at that time.

[javiercn]

@sake402 Allowing the webview to disable HTTPS has security implications since there is nothing that tells users that the page is in an unsafe context. (It might also disable some APIs) and might cause issues with Blazor itself.

There are ways in which you can accomplish this without having to change the URL scheme which will lower the security guarantees for your entire app.

You can create a component that receives the URL, downloads the file, passes it down to JavaScript via JS interop, creates an object URL and passes that object URL to the actual image tag.

@inject IJSRuntime JS

@if(@_objectUrl != null)
{
  @ChildContent(_objectUrl);
}

@code{
  private string _objectUrl;
  
  [Parameter] RenderFragment<string> Src { get; set; }
  
  protected override OnParametersSet()
  {
    var client = new HttpClient();
    var stream = await client.GetStreamAsync(Src);
    var streamReference = new DotNetStreamReference(reference);
    _objectUrl = await JS.InvokeAsync("URL.createObjectUrl", streamReference);
  }
}

We do have an issue for having a built-in component in .NET 7.0 that will help with something like this.

Based on this, I'm going to close this issue, since there are ways in which you can achieve this scenario and we are in general not comfortable with any flag that can lower the security in a production application. If we see more feedback in the future, we might reconsider.