BlazorFrame 2.4.1

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet add package BlazorFrame --version 2.4.1
                    


                    

                
NuGet\Install-Package BlazorFrame -Version 2.4.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="BlazorFrame" Version="2.4.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="BlazorFrame" Version="2.4.1" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="BlazorFrame" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add BlazorFrame --version 2.4.1
                    


                    

                
#r "nuget: BlazorFrame, 2.4.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package BlazorFrame@2.4.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=BlazorFrame&version=2.4.1
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=BlazorFrame&version=2.4.1
                    


                            Install as a Cake Tool

<h1> <div align="center" style="margin:0; padding:0;"> <img src="https://github.com/Tim-Maes/BlazorFrame/blob/master/assets/BlazorFrameLogo.png" alt="BlazorFrame Logo" width="600" /> </div> </h1>

A security-first Blazor iframe component with automatic resizing, cross-frame messaging, and comprehensive Content Security Policy integration.

NuGet Downloads GitHub CI CD

Features

  • Security-First Design - Built-in origin validation, message filtering, and sandbox isolation
  • Content Security Policy - Comprehensive CSP integration with fluent configuration API
  • Bidirectional Communication - Secure postMessage communication with validation for both directions
  • Navigation Tracking - Capture iframe navigation events with URL and query parameters
  • Sandbox Support - Multiple security levels from permissive to paranoid isolation
  • Environment-Aware - Different configurations for development vs production
  • Automatic Resizing - Smart height adjustment based on iframe content with configurable options
  • Programmatic Reload - Refresh iframe content without recreating the entire component

Documentation

Complete Documentation

🚀 Quick Start

Installation

dotnet add package BlazorFrame

Basic Usage

@using BlazorFrame


<BlazorFrame Src="https://example.com" />


<BlazorFrame @ref="iframeRef"
            Src="https://widget.example.com"
            EnableNavigationTracking="true"
            SecurityOptions="@securityOptions"
            OnValidatedMessage="HandleMessage"
            OnNavigation="HandleNavigation"
            OnSecurityViolation="HandleViolation" />

<button @onclick="SendDataToIframe">Send Data</button>

@code {
    private BlazorFrame? iframeRef;
    
    private readonly MessageSecurityOptions securityOptions = new MessageSecurityOptions()
        .ForProduction()        // Strict security settings
        .WithBasicSandbox()     // Enable iframe sandboxing
        .RequireHttps();        // Enforce HTTPS transport
        
    private Task HandleMessage(IframeMessage message)
    {
        Console.WriteLine($"Received message from {message.Origin}: {message.Data}");
        return Task.CompletedTask;
    }

    private Task HandleNavigation(NavigationEvent navigation)
    {
        Console.WriteLine($"Navigation to: {navigation.Url}");
        Console.WriteLine($"Query params: {string.Join(", ", navigation.QueryParameters)}");
        return Task.CompletedTask;
    }

    private Task HandleViolation(IframeMessage violation)
    {
        Console.WriteLine($"Security violation: {violation.ValidationError}");
        return Task.CompletedTask;
    }
    
    private async Task SendDataToIframe()
    {
        if (iframeRef != null)
        {
            await iframeRef.SendTypedMessageAsync("user-data", new { userId = 123, name = "John" });
        }
    }
}

Configuration Examples

// Development environment - relaxed security
var devOptions = new MessageSecurityOptions()
    .ForDevelopment()
    .WithPermissiveSandbox();

// Production environment - strict security
var prodOptions = new MessageSecurityOptions()
    .ForProduction()
    .WithStrictSandbox()
    .ValidateAndThrow();

// Payment widgets - maximum security
var paymentOptions = new MessageSecurityOptions()
    .ForPaymentWidget();

Auto-Resize Configuration

Control how the iframe automatically adjusts its height based on content:

<BlazorFrame Src="https://example.com"
            EnableAutoResize="true"
            ResizeOptions="@resizeOptions" />

@code {
    // Custom resize configuration
    private readonly ResizeOptions resizeOptions = new()
    {
        MinHeight = 200,
        MaxHeight = 2000,
        PollingInterval = 500,
        DebounceMs = 100,
        UseResizeObserver = true
    };
    
    // Or use built-in presets:
    // ResizeOptions.Default      - Balanced defaults
    // ResizeOptions.Performance  - Less frequent updates (better performance)
    // ResizeOptions.Responsive   - More frequent updates (smoother resizing)
}
Property Default Description
MinHeight 100 Minimum height in pixels
MaxHeight 50000 Maximum height in pixels
PollingInterval 500 Fallback polling interval (ms) when ResizeObserver unavailable
DebounceMs 100 Debounce delay to prevent excessive updates (0 to disable)
UseResizeObserver true Use ResizeObserver API when available

Programmatic Reload

Refresh iframe content without recreating the entire component - useful for PDFs, dynamic content, or cache-busting:

<BlazorFrame @ref="iframeRef" Src="@pdfUrl" />

<button @onclick="RefreshContent">Refresh</button>
<button @onclick="LoadNewDocument">Load New Document</button>

@code {
    private BlazorFrame? iframeRef;
    private string pdfUrl = "https://example.com/document.pdf";
    
    // Reload the current content
    private async Task RefreshContent()
    {
        if (iframeRef != null)
        {
            await iframeRef.ReloadAsync();
        }
    }
    
    // Load a new URL with cache-busting
    private async Task LoadNewDocument()
    {
        if (iframeRef != null)
        {
            var cacheBustedUrl = $"https://example.com/document.pdf?v={DateTime.UtcNow.Ticks}";
            await iframeRef.ReloadAsync(cacheBustedUrl);
        }
    }
}

Content Security Policy

<BlazorFrame Src="https://widget.example.com"
            CspOptions="@cspOptions"
            OnCspHeaderGenerated="HandleCspGenerated" />

@code {
    private readonly CspOptions cspOptions = new CspOptions()
        .ForProduction()
        .AllowFrameSources("https://widget.example.com")
        .WithScriptNonce("secure-nonce-123");
        
    private Task HandleCspGenerated(CspHeader cspHeader)
    {
        // Apply CSP header to HTTP response
        // HttpContext.Response.Headers.Add(cspHeader.HeaderName, cspHeader.HeaderValue);
        return Task.CompletedTask;
    }
}

Security

Content Security Policy

Comprehensive CSP integration for defense-in-depth security:

  • Automatic header generation - CSP headers built from iframe requirements
  • Environment-aware policies - Different rules for development vs production
  • Fluent configuration API - Easy-to-use builder pattern for CSP rules
  • Violation monitoring - Real-time CSP violation reporting and analysis
  • Nonce and hash support - Modern CSP techniques for script security

Message Validation

All iframe messages are automatically validated for:

  • Origin verification - Ensures messages come from allowed domains
  • Content validation - JSON structure and size limits
  • Security filtering - Blocks malicious patterns and script injection
  • Custom validation - Extensible validation pipeline

Sandbox Security Levels

Level Permissions Use Case
None No restrictions Trusted content only
Basic Scripts + same-origin Most trusted widgets
Permissive Scripts + same-origin + forms + popups Interactive widgets
Strict Scripts only (no same-origin) Semi-trusted content
Paranoid Empty sandbox (no permissions) Untrusted content

API Reference

Component Parameters

Parameter Type Default Description
Src string "" The URL to load in the iframe
Width string "100%" Width of the iframe
Height string "600px" Height of the iframe
EnableAutoResize bool true Enable automatic height adjustment
ResizeOptions ResizeOptions? null Configuration for auto-resize behavior
EnableScroll bool false Enable scrolling on the wrapper
EnableNavigationTracking bool false Track iframe navigation events
AllowedOrigins List<string>? null Allowed origins for postMessage
SecurityOptions MessageSecurityOptions new() Security configuration
CspOptions CspOptions? null Content Security Policy configuration

Component Methods

Method Returns Description
ReloadAsync() Task Reloads the iframe content
ReloadAsync(string newSrc) Task Reloads with a new source URL
SendMessageAsync(object data, string? targetOrigin) Task<bool> Sends a message to the iframe
SendTypedMessageAsync(string type, object? data, string? targetOrigin) Task<bool> Sends a typed message
GetRecommendedCspHeader() CspHeader? Gets the recommended CSP header
ValidateCspConfiguration() CspValidationResult? Validates the CSP configuration

Events

Event Type Description
OnLoad EventCallback Fired when iframe loads
OnMessage EventCallback<string> Fired on message (raw JSON)
OnValidatedMessage EventCallback<IframeMessage> Fired on validated message
OnSecurityViolation EventCallback<IframeMessage> Fired on security violation
OnNavigation EventCallback<NavigationEvent> Fired on navigation
OnUrlChanged EventCallback<string> Fired on URL change
OnMessageSent EventCallback<string> Fired when message sent
OnMessageSendFailed EventCallback<Exception> Fired on send failure
OnCspHeaderGenerated EventCallback<CspHeader> Fired when CSP generated
OnInitializationError EventCallback<Exception> Fired on init failure

Demo

BlazorFrame Demo

Interactive Demo - Try different security configurations live

Requirements

  • .NET 8.0 or later
  • Blazor Server or Blazor WebAssembly
  • Modern browser with ES6 modules support

Browser Support

  • Chrome 91+
  • Firefox 90+
  • Safari 15+
  • Edge 91+

Support

License

This project is licensed under the MIT License.

Built with ❤️ for the Blazor community

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
2.4.1 241 1/15/2026
2.3.0 1,612 8/27/2025
2.1.2 618 7/12/2025
2.1.1 161 7/12/2025
2.1.0 327 7/11/2025
2.0.0 178 7/10/2025
1.4.0 176 7/7/2025
1.3.0 182 7/7/2025
1.2.2 180 7/7/2025
1.2.1 182 7/7/2025
1.2.0 180 7/7/2025
1.1.2 189 7/7/2025
1.1.1 179 7/7/2025
1.1.0 151 7/4/2025
1.0.1 151 7/4/2025
1.0.0 174 7/4/2025