BlazorFrame 1.2.1
There is a newer version of this package available.
See the version list below for details.
See the version list below for details.
dotnet add package BlazorFrame --version 1.2.1
NuGet\Install-Package BlazorFrame -Version 1.2.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="BlazorFrame" Version="1.2.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="BlazorFrame" Version="1.2.1" />
<PackageReference Include="BlazorFrame" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add BlazorFrame --version 1.2.1
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: BlazorFrame, 1.2.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package BlazorFrame@1.2.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=BlazorFrame&version=1.2.1
#tool nuget:?package=BlazorFrame&version=1.2.1
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
BlazorFrame
A Blazor component that provides an enhanced iframe wrapper with automatic resizing, cross-frame communication, and seamless JavaScript interop with built-in security features.
Features
- Security-First Design - Origin validation, message filtering, and comprehensive security options
- Responsive - Dynamically resizes iframe based on content height (can be enabled/disabled)
- Cross-Frame Messaging - Built-in support for postMessage communication with validation
- Event Callbacks - OnLoad, OnMessage, and security event handling
- Flexible Styling - Customizable width, height, and additional attributes
- JavaScript Interop - Seamless integration with Blazor's JS interop
- Scrolling Control - Enable or disable scrolling within the iframe wrapper
- Disposal Pattern - Proper cleanup of resources and event listeners
Installation
Install the package via NuGet Package Manager:
dotnet add package BlazorFrame
Or via Package Manager Console:
Install-Package BlazorFrame
Quick Start (Secure by Default)
@using BlazorFrame
<BlazorFrame Src="https://example.com" />
The component automatically derives allowed origins from the Src URL for secure messaging.
Usage Examples
Basic Usage with Event Handling
@using BlazorFrame
@using BlazorFrame.Models
<BlazorFrame Src="@iframeUrl"
Width="100%"
Height="400px"
EnableAutoResize="true"
EnableScroll="false"
OnLoad="HandleIframeLoad"
OnValidatedMessage="HandleValidatedMessage"
OnSecurityViolation="HandleSecurityViolation"
class="my-custom-iframe" />
@code {
private string iframeUrl = "https://example.com";
private Task HandleIframeLoad()
{
Console.WriteLine("Iframe loaded successfully!");
return Task.CompletedTask;
}
private Task HandleValidatedMessage(IframeMessage message)
{
Console.WriteLine($"Secure message from {message.Origin}: {message.Data}");
return Task.CompletedTask;
}
private Task HandleSecurityViolation(IframeMessage violation)
{
Console.WriteLine($"Security violation: {violation.ValidationError}");
return Task.CompletedTask;
}
}
Advanced Security Configuration
@using BlazorFrame
@using BlazorFrame.Models
<BlazorFrame Src="@iframeUrl"
AllowedOrigins="@allowedOrigins"
SecurityOptions="@securityOptions"
OnValidatedMessage="HandleValidatedMessage"
OnSecurityViolation="HandleSecurityViolation" />
@code {
private string iframeUrl = "https://widget.example.com";
private List<string> allowedOrigins = new()
{
"https://widget.example.com",
"https://api.example.com"
};
private MessageSecurityOptions securityOptions = new()
{
EnableStrictValidation = true,
MaxMessageSize = 32 * 1024, // 32KB
LogSecurityViolations = true
};
private Task HandleValidatedMessage(IframeMessage message)
{
// Handle validated, secure messages
return Task.CompletedTask;
}
private Task HandleSecurityViolation(IframeMessage violation)
{
// Log, alert, or take corrective action
Logger.LogWarning("Security violation: {Error}", violation.ValidationError);
return Task.CompletedTask;
}
}
Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
Src |
string |
"" |
The URL to load in the iframe |
Width |
string |
"100%" |
The width of the iframe |
Height |
string |
"600px" |
The initial height of the iframe |
EnableAutoResize |
bool |
true |
Whether to automatically resize the iframe based on content height |
EnableScroll |
bool |
false |
Whether to enable scrolling within the iframe wrapper |
AllowedOrigins |
List<string>? |
null |
Explicit list of allowed origins. If null, auto-derives from Src |
SecurityOptions |
MessageSecurityOptions |
new() |
Security configuration options |
OnLoad |
EventCallback |
- | Callback fired when the iframe loads |
OnMessage |
EventCallback<string> |
- | Callback fired when receiving valid postMessage (legacy) |
OnValidatedMessage |
EventCallback<IframeMessage> |
- | Callback fired with full message validation details |
OnSecurityViolation |
EventCallback<IframeMessage> |
- | Callback fired when security violations occur |
AdditionalAttributes |
Dictionary<string, object> |
- | Additional HTML attributes to apply |
Security Features
Origin Validation
BlazorFrame automatically validates message origins to prevent unauthorized communication:
- Auto-derived origins: Automatically allows messages from the iframe's source domain
- Explicit allowlist: Override with custom allowed origins for multi-domain scenarios
- Protocol enforcement: Ensures HTTPS origins when possible
Message Validation
All incoming messages are validated before reaching your application:
public class MessageSecurityOptions
{
/// <summary>List of allowed origins (null = auto-derive from Src)</summary>
public List<string>? AllowedOrigins { get; set; }
/// <summary>Enable strict JSON format validation</summary>
public bool EnableStrictValidation { get; set; } = true;
/// <summary>Maximum message size (default: 64KB)</summary>
public int MaxMessageSize { get; set; } = 64 * 1024;
/// <summary>Log security violations</summary>
public bool LogSecurityViolations { get; set; } = true;
}
Validated Message Model
public class IframeMessage
{
public required string Origin { get; init; } // Verified sender origin
public required string Data { get; init; } // Validated JSON string
public bool IsValid { get; init; } // Security validation result
public string? ValidationError { get; init; } // Error details (if any)
public string? MessageType { get; init; } // Extracted message type
}
Security Event Handling
Monitor and respond to security events:
<BlazorFrame OnSecurityViolation="HandleViolation" />
@code {
private Task HandleViolation(IframeMessage violation)
{
// Log, alert, or take corrective action
Logger.LogWarning("Security violation: {Error}", violation.ValidationError);
return Task.CompletedTask;
}
}
Automatic Resizing
BlazorFrame can automatically adjust the iframe height based on the content inside when EnableAutoResize is set to true (default). The component:
- Monitors the iframe content document every 500ms
- Calculates the maximum height from various document properties
- Updates the iframe height dynamically
- Handles cross-origin restrictions gracefully
- Can be disabled by setting
EnableAutoResize="false"
Cross-Frame Communication
Sending Messages from Iframe (Secure)
// Inside your iframe content - specify target origin for security
window.parent.postMessage({
type: 'custom',
data: 'Hello from iframe!'
}, 'https://your-parent-domain.com');
Special Resize Messages
// Send resize messages (validated automatically)
window.parent.postMessage({
type: 'resize',
height: 800
}, 'https://your-parent-domain.com');
Receiving Validated Messages
private Task HandleValidatedMessage(IframeMessage message)
{
// message.Origin - verified sender origin
// message.Data - validated JSON string
// message.MessageType - extracted message type (if present)
// message.IsValid - always true in this callback
return Task.CompletedTask;
}
Styling and CSS
The component includes built-in CSS styling with wrapper classes:
- iframe-wrapper - Applied to all iframe wrappers
- iframe-wrapper scrollable - Applied when
EnableScroll="true"
The wrapper provides:
- 100% width by default
- Hidden overflow (unless scrollable)
- Borderless iframe display
Examples
Loading Different Content Types
<BlazorFrame Src="https://docs.microsoft.com" />
<BlazorFrame Src="./local-content.html" />
<BlazorFrame Src="data:text/html,<h1>Hello World!</h1>" />
Multi-Domain Setup
<BlazorFrame Src="https://widget.example.com"
AllowedOrigins="@(new List<string>
{
"https://widget.example.com",
"https://api.example.com"
})" />
High-Security Configuration
<BlazorFrame Src="@secureUrl"
SecurityOptions="@(new MessageSecurityOptions
{
EnableStrictValidation = true,
MaxMessageSize = 16 * 1024, // 16KB limit
LogSecurityViolations = true
})"
OnSecurityViolation="HandleViolation" />
Responsive Design
<div class="container-fluid">
<BlazorFrame Src="@contentUrl"
Width="100%"
Height="calc(100vh - 200px)"
EnableAutoResize="false"
style="min-height: 400px;" />
</div>
Disabling Auto-Resize for Fixed Height
<BlazorFrame Src="@contentUrl"
Width="100%"
Height="500px"
EnableAutoResize="false"
EnableScroll="true" />
Custom Styling and Attributes
<BlazorFrame Src="@iframeUrl"
Width="800px"
Height="600px"
EnableAutoResize="false"
EnableScroll="true"
class="border rounded shadow"
style="margin: 20px;"
sandbox="allow-scripts allow-same-origin" />
Best Practices
- Always specify target origin when sending messages from iframe content
- Use OnValidatedMessage for new implementations instead of legacy OnMessage
- Monitor security violations in production environments
- Set appropriate MaxMessageSize based on your use case
- Enable logging for security auditing
- Use HTTPS for iframe sources when possible
- Implement proper error handling for security violations
Requirements
- .NET 8.0 or later
- Blazor Server or Blazor WebAssembly
Browser Support
BlazorFrame works in all modern browsers that support:
- ES6 modules
- postMessage API with origin validation
- Blazor JavaScript interop
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
If you encounter any issues or have questions:
- Open an issue on GitHub
- Check existing issues for solutions
- Suggest new features or improvements
Version History
v1.1.0
- Added comprehensive security features
- Origin validation and message filtering
- Security event callbacks
- Enhanced logging support
- Backward compatibility maintained
v1.0.1
- Initial release
- Basic iframe wrapper
- Auto-resize functionality
- PostMessage support
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net8.0
- Microsoft.AspNetCore.Components.Web (>= 8.0.16)
- Microsoft.Extensions.Logging.Abstractions (>= 8.0.16)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.