Switch to using POST for .NET method invoke #32104
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mattleibow
added
the
p/0
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR migrates the HybridWebView's .NET method invocation from GET requests with URL-encoded query strings to POST requests with JSON bodies. This change removes URL length limitations and enables future extensibility. The implementation differs slightly by platform: Windows, iOS, and macOS use standard POST bodies, while Android works around platform limitations by using a custom header to transmit the request body.
Key changes:
- Changed JavaScript fetch calls from GET to POST with JSON body
- Added security validation through custom headers (
X-Maui-Invoke-Token) - Implemented platform-specific body handling (stream for iOS/Windows/Mac, header for Android)
- Added comprehensive test coverage for validation failures
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
MauiHybridWebViewClient.cs |
Android implementation: validates POST requests and reads body from custom header |
HybridWebViewHandler.iOS.cs |
iOS/MacCatalyst implementation: validates POST requests and reads body from NSData stream |
HybridWebViewHandler.cs |
Shared handler: updated method signature to accept stream or string body instead of query string |
HybridWebViewHandler.Windows.cs |
Windows implementation: validates POST requests and reads body from request content stream |
HybridWebView.ts |
TypeScript client: changed from GET with query string to POST with JSON body and headers |
HybridWebView.js |
JavaScript client: transpiled version of TypeScript changes |
Core.csproj |
Build configuration: allows conditional override of TypeScript compilation blocking |
invokedotnetfails.html |
Test HTML page: provides test functions for validation failure scenarios |
HybridWebViewTests_InvokeDotNetFails.cs |
Unit tests: validates security checks and proper error handling |
jsuarezruiz
suggested changes
Oct 21, 2025
Contributor
jsuarezruiz
left a comment
jsuarezruiz
left a comment
There was a problem hiding this comment.
/Users/builder/azdo/_work/1/s/src/Core/src/Handlers/HybridWebView/HybridWebViewHandler.cs(194,66): error CS8604: Possible null reference argument for parameter 'json' in 'JSInvokeMethodData? JsonSerializer.Deserialize<JSInvokeMethodData>(string json, JsonTypeInfo<JSInvokeMethodData> jsonTypeInfo)'. [/Users/builder/azdo/_work/1/s/src/Core/src/Core.csproj::TargetFramework=netstandard2.0]
1 Error(s)
github-project-automation
bot
moved this from Todo
to Changes Requested
in MAUI SDK Ongoing
Member
|
/rebase |
github-actions
bot
force-pushed
the
dev/hybridwebview-post-invoke
branch
from
b5f1c22 to
988aba9
Compare
Member
|
/backport to release/10.0.1xx |
Contributor
|
Started backporting to |
mattleibow
force-pushed
the
dev/hybridwebview-post-invoke
branch
from
988aba9 to
bd78699
Compare
Using GET was simpler, but required everything to be on the URL and URL encoded. There is a limit to the number of chars. Using a POST message allows for longer but also fits in with the ability to extend later with different features. Right now, Windows, iOS and Mac Catalyst use a POST with a body, but Android is limited and has to use a header. In future, switching to a [JavascriptInterface] may be worth investigation. Fix the tests whatever mac no idea some ws Some versions of Android fail with missing headers
mattleibow
force-pushed
the
dev/hybridwebview-post-invoke
branch
from
8dc3d45 to
d536066
Compare
Member
Author
|
/backport to release/10.0.1xx |
Contributor
|
Started backporting to |
| internal const string InvokeDotNetTokenHeaderValue = "HybridWebView"; | ||
| internal const string InvokeDotNetBodyHeaderName = "X-Maui-Request-Body"; | ||
|
|
||
|
|
There was a problem hiding this comment.
Multiple consecutive blank lines detected. Remove one of the blank lines to follow standard formatting practices.
Suggested change
Comment on lines
+146
to
+149
| // iframe.frameBorder = '0'; | ||
| // iframe.loading = 'lazy'; | ||
| // iframe.allowTransparency = 'true'; | ||
| // iframe.allowFullscreen = 'true'; |
There was a problem hiding this comment.
Commented-out code should be removed. If these iframe attributes are not needed for the test, delete them. If they may be needed in the future, document why they are preserved as comments.
Suggested change
| // iframe.frameBorder = '0'; | |
| // iframe.loading = 'lazy'; | |
| // iframe.allowTransparency = 'true'; | |
| // iframe.allowFullscreen = 'true'; |
rmarinho
previously approved these changes
Oct 28, 2025
github-project-automation
bot
moved this from Changes Requested
to Done
in MAUI SDK Ongoing
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces significant improvements to the HybridWebView's .NET invocation security and request handling, as well as updates to the related test infrastructure and JavaScript interop logic. The changes enforce stricter validation of incoming requests to the
__hwvInvokeDotNetendpoint, ensuring only properly formed POST requests with required headers and bodies are processed. Comprehensive device tests and supporting HTML/JS files have been added to verify these behaviors across platforms.HybridWebView .NET Invocation Security & Request Handling
__hwvInvokeDotNetendpoint: only POST requests with the correctX-Maui-Invoke-TokenandX-Maui-Request-Bodyheaders and a non-empty body are accepted; others are blocked with appropriate HTTP status codes (400 Bad Request, 405 Method Not Allowed). [1] [2] [3]JavaScript Interop and API Updates
__hwvInvokeDotNetendpoint, matching the new server-side requirements. The request and response handling code was also improved for better error handling and data deserialization. [1] [2] [3] [4] [5]Device Test Infrastructure
HybridWebViewTests_InvokeDotNetFails.cs) and corresponding HTML test page (invokedotnetfails.html) to verify that invalid requests (wrong method, missing/invalid headers, empty body, iframe context) are blocked and only valid requests succeed. [1] [2]Cross-Platform and Build System Improvements
HeaderPairTypefor header handling, improving maintainability and cross-platform support. [1] [2]TypeScriptCompileBlockedproperty.Future Improvements