search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.84k stars 4.62k forks source link

Consider using file extension for WASM ICU data files that is less likely to be blocked by firewalls (not .dat) #99231

Open frankbuckley opened 5 months ago

frankbuckley commented 5 months ago

Description

*.dat files can be blocked by default firewall configurations:

This causes Blazor WASM apps to fail to load:

image

Reproduction Steps

Deploy WASM Blazor app behind an Ingress-NGINX Controller for Kubernetes with enable-modsecurity: "true" and enable-owasp-modsecurity-crs: "true".

Expected behavior

WASM app is downloaded and runs in browser without errors.

Actual behavior

ICU data file is blocked by firewall and WASM app fails to load.

Regression?

No response

Known Workarounds

Configure firewall rules to allow *.dat files OR Customise WASM app build to rename ICU data files to use extension that is not blocked by default

Configuration

Confirmed using Edge and Google Chrome.

Other information

No response

ghost commented 5 months ago

Tagging subscribers to this area: @dotnet/area-system-globalization See info in area-owners.md if you want to be subscribed.

Issue Details
### Description *.dat files can be blocked by default firewall configurations: - https://github.com/dotnet/runtime/issues/89073 - https://github.com/coreruleset/coreruleset/blob/0bd51ff806c68e2a54c4d60ca13f731c5355696d/crs-setup.conf.example#L446 This causes Blazor WASM apps to fail to load: ![image](https://github.com/dotnet/runtime/assets/5655810/e2188080-3f1a-484b-89ac-5143afd67d3b) ### Reproduction Steps Deploy WASM Blazor app behind an Ingress-NGINX Controller for Kubernetes with `enable-modsecurity: "true"` and `enable-owasp-modsecurity-crs: "true"`. ### Expected behavior WASM app is downloaded and runs in browser without errors. ### Actual behavior ICU data file is blocked by firewall and WASM app fails to load. ### Regression? _No response_ ### Known Workarounds Configure firewall rules to allow *.dat files OR [Customise WASM app build to rename ICU data files to use extension that is not blocked by default](https://github.com/maraf/dotnet-wasm-rename-icu) ### Configuration Confirmed using Edge and Google Chrome. ### Other information _No response_
Author: frankbuckley
Assignees: -
Labels: `arch-wasm`, `area-System.Globalization`, `untriaged`
Milestone: -
pavelsavara commented 4 months ago

Existing solution is to bundle ICU data into the main dotnet.native.wasm, but that makes only sense if you know which shard or if you include full ICU data.

Normally we only download the ICU shard which matches the locale of the browser. It's much smaller/faster. There are multiple, and we don't know which we will use until we actually start.

So I think the proper solution is to wrap all ICU shards into .wasm container. In the same way as we do for DLLs and WebCil, which is triggered by WasmEnableWebcil

Maybe current webcil is defined as IL wrapper. But I think we could extend it to be more generic container.

@lambdageek thoughts ?

ilonatommy commented 4 months ago

An existing workaround that can be used only in case of loading full ICU (icudt.dat) could be the one described in https://github.com/dotnet/runtime/issues/100638. It is not ideal, though. For apps that use shards (dynamically load the best-matching file - in the described case icudt_EFIGS.dat), it will have a negative effect of increasing the app size.

maraf commented 4 months ago

Maybe current webcil is defined as IL wrapper. But I think we could extend it to be more generic container.

It was part of the original proposal, but out of scope for .NET 8

lewing commented 4 months ago

Is the issue just the extension?

maraf commented 4 months ago

I have a sample for the former bundler https://github.com/maraf/dotnet-wasm-rename-icu. Maybe providing a similar guidance for new SDK/blazor would be enough

EDIT: Oh, already mentioned on the report

maraf commented 4 months ago

@frankbuckley Does the trick with changing the extension work in your scenario?

frankbuckley commented 4 months ago

@frankbuckley Does the trick with changing the extension work in your scenario?

I saw it but did not try it - sorry.

We decided we could alter our firewall rules to allow .dat file downloads without too much risk and that this would be the simpler option.

However, the CRS is used, I believe, by (at least) Cloudflare and Azure WAFs, though I don't know if they change the allowed file extensions by default.

Might be worth avoiding the potential pitfall.

lambdageek commented 4 months ago

Maybe current webcil is defined as IL wrapper. But I think we could extend it to be more generic container.

yea, possibly. the outer container (ie the wasm module) doesn't care too much about what's inside (except there's an alignment hack specifically for IL). We could change it to host other content. Also @kg was interested in loading webcil "honestly" (ie: using WebAssembly.instantiateStreaming instead of fetch/blob()) so even for IL we wouldn't need the alignment hack anymore.