Severity
Medium
Describe the bug
JavaScript message classification currently depends on string heuristics (for example keyword/token matching) instead of explicit protocol metadata.
This is fragile and can drift from the runtime contract, causing cross-channel misrouting and incorrect handler execution.
Steps to reproduce
- Send a non-Blazor message that includes heuristic-triggering tokens (for example
RenderBatch).
- Observe that the message is classified as a Blazor/runtime message.
- Verify warning/no-handler or incorrect-handler paths are triggered.
Expected behavior
Message classification is based only on explicit protocol/channel markers (for example envelope version, channel, type, or equivalent contract fields), not content heuristics.
Actual behavior
Heuristic pattern matching on message content determines classification, which can produce false positives/false negatives.
Logs / Error Output
Potential warning/no-handler paths.
Minimal reproduction
Craft and send a non-Blazor message payload containing RenderBatch token and confirm misclassification.
.NET Version
Affects protocol boundary; runtime-version agnostic unless proven otherwise.
Please validate on currently supported target frameworks in this repo.
Project Version / Commit
Please test against current main (or provide exact commit SHA when triaged).
Operating System
Expected to be cross-platform (Windows/macOS/Linux) because issue is protocol/classification logic, not OS-specific APIs.
Hardening / Proposed fix
Replace heuristic filtering with contract-driven routing:
- Require explicit envelope fields for routing decisions.
- Reject or quarantine messages missing required routing metadata.
- Keep temporary compatibility path only if needed, with telemetry for heuristic fallback usage.
Add tests:
- Positive: correctly routed messages by explicit markers.
- Negative: messages containing heuristic keywords but missing markers must not be routed.
- Regression:
RenderBatch token inside non-Blazor payload must not trigger Blazor path.
- Compatibility: migration behavior if legacy messages are still supported.
Scope / Impact
Impacts JS/runtime interop message handling; medium severity due to misclassification risk and maintainability drift.
Checklist
Severity
Medium
Describe the bug
JavaScript message classification currently depends on string heuristics (for example keyword/token matching) instead of explicit protocol metadata.
This is fragile and can drift from the runtime contract, causing cross-channel misrouting and incorrect handler execution.
Steps to reproduce
RenderBatch).Expected behavior
Message classification is based only on explicit protocol/channel markers (for example envelope
version,channel,type, or equivalent contract fields), not content heuristics.Actual behavior
Heuristic pattern matching on message content determines classification, which can produce false positives/false negatives.
Logs / Error Output
Minimal reproduction
Craft and send a non-Blazor message payload containing
RenderBatchtoken and confirm misclassification..NET Version
Affects protocol boundary; runtime-version agnostic unless proven otherwise.
Please validate on currently supported target frameworks in this repo.
Project Version / Commit
Please test against current
main(or provide exact commit SHA when triaged).Operating System
Expected to be cross-platform (Windows/macOS/Linux) because issue is protocol/classification logic, not OS-specific APIs.
Hardening / Proposed fix
Replace heuristic filtering with contract-driven routing:
Add tests:
RenderBatchtoken inside non-Blazor payload must not trigger Blazor path.Scope / Impact
Impacts JS/runtime interop message handling; medium severity due to misclassification risk and maintainability drift.
Checklist