Question: how secure is JSInvokable?

[uazo]

Hi guys,
I was thinking about how safe it would be to allow any call from javascript to .net functions via the JSInvokable attribute.
In a fully client environment (ie Blazor) it might not be a problem (client on client, you know it's insecure), but in Razor Components we're practically expanding the attack surface on the server (among other things without even saying it clearly).
Could it be useful to add a sort of filters to the call so that you can intercept and make it possible for the developer to block any illegitimate call?
Another alternative is to evaluate whether to use System.Security.Policy Evidence, so that calls from js run in a less secure context, but I think that it is also necessary to modify the hosting model of .net core to allow it.
I do not know, I await your considerations, maybe it's not a problem ...

[aspnet-hello]

We're closing this item because this project has moved to another repo.

Please go to https://github.com/aspnet/Extensions/tree/master/src/JSInterop to see the latest JSInterop code base and to file issues.

We apologize if this causes any inconvenience. We ask that if you are still encountering an issue, please log a new issue with updated information and we will investigate.