Aspnetcore: Blazor Release compile exposing the path of developer machine.

Exposing the develop machine path.

If you can provide minimal repro steps, we'd definitely be happy to figure out whether this is avoidable. By "minimal repro steps" I mean, having created a fresh new project using the Blazor project template, what's the smallest set of code changes or publishing steps that result in other people on the internet being able to observe this?

Security for exposing ajax Endpoint

I don't think that's got anything to do with Blazor. It's just a feature of all client-side web apps that the end user can observe their HTTP traffic and inspect all the code that was delivered to the browser. It wouldn't be any different with another SPA framework. Developers need a security model that doesn't rely on this information being secret (not just with Blazor, but with all client-side apps).

I imagine you are more talking about security by obscurity for the admin endpoints etc? Then lazy loading as tracked by aspnet/AspNetCore#5465 would solve this. The dll containing information about the admin panel for example would not be loaded until the user is authorised as an admin. However, this isn't much of a security guarantee and shouldn't be relied on as a way of protecting your admin endpoints.

I haven't the linked anymore , @SteveSandersonMS It's from your twitter feed, the one tweet you like last weekend called "Blazor Clock" I also cc the person who wrote the code in my post. When I open demo it's download the dll and I open that dll I see the machine related code, I confirm with the person that he is using release builds. I will check tonight my Facebook and update you the link.

Rather than sending a link, could you supply info on how to reproduce the issue? Otherwise we don't know whether it was something unusual that the developer did, and would not really be in a position to investigate.

@SteveSandersonMS yes, Please give me sometime, I am in Office, I will build demo from my home

Hello. It was my project.
Thank you for mention.
I have regular blazor app and blazor lib published on azure.
I downloaded publish profile for my free app service, imported in VS and just published project.
Sure publish means build release version, I checked and after publish there appears release sub folder in bin.
Only one thing I changed in both projects config was:

<PropertyGroup>
<UseRazorBuildServer>false</UseRazorBuildServer>
<PropertyGroup>

because build was very slow and when I did research I found this advice with worked for me.
But I don't think it matters for this issue.

I don't shared my project on github yet, because I'm ashamed to show you my code before good refactoring.

I am not good in security field and I can't say nothing helpful, I'm ready to do what else will requested from me.

I'll close this due to lack of info about where this path is being exposed.

If anyone is still affected and can supply repro info, please let us know!

I published repo after my last comment.

This project was the reason of this issue.

@anirudhagupta can you provide more details please.

I don't know what else I can do.

@Lupusa87 sure,

I try to reproduce on my machine, I better find it in your online running demo.

I open the demo at latest chrome. please check the screenshot

cc @SteveSandersonMS

Thanks @anirudhagupta, that's helpful! Reopening for consideration.

On further consideration, this isn't specific to Blazor at all, but rather is an aspect of how .NET overall works. It does embed the absolute path to PDBs.

I understand that with Blazor, you're supplying the .dll files to clients in a way that you wouldn't with a server-only .NET app. But Blazor is not the only case where people distribute .NET assembly files to third parties. For example, there's also:

• Publishing NuGet packages to nuget.org
• Other .NET client application project types (WinForms, UWP, etc.)

In these cases you are also exposing the build server's paths to the public. For example, I just got the current version of Json.NET from NuGet, inspected Newtonsoft.Json.dll, and found this:

That file path isn't on my PC. It must be from the CI machine (or @JamesNK's laptop?) that built the package.

So I don't think it's any more of a concern for Blazor app publishers than it would be for, say, anyone publishing NuGet packages. If this really does concern you, there's probably some way to modify the generated assembly file, or you could raise this with the C# compiler team as something that could be changed.

cc @rynowak @danroth27 in case they have other opinions or ideas of how this could be changed.

From my laptop 😄

If this really does concern you, there's probably some way to modify the generated assembly file,

If I'm not mistaken, and a quick test with a Blazor release build appears to confirm this, you can simply configure this in your .csproj. In Visual Studio, in the project properties, Build, Advanced…, set Debugging information: to None. I can no longer find the .pdb path in the DLL.

This will do:

  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
    <DebugType>none</DebugType>
    <DebugSymbols>false</DebugSymbols>
  </PropertyGroup>

Presumably, other DebugType settings will also be sufficient.