Topic update (#18158)

Author: guardrex

aspnetcore/fundamentals/http-context.md

@@ -5,7 +5,7 @@ description: Learn how to access HttpContext in ASP.NET Core.
 monikerRange: '>= aspnetcore-2.1'
 ms.author: riande
 ms.custom: mvc
-ms.date: 12/03/2019
+ms.date: 5/5/2020
 no-loc: [Blazor, "Identity", "Let's Encrypt", Razor, SignalR]
 uid: fundamentals/httpcontext
 ---
@@ -158,3 +158,8 @@ public class EmailController : Controller
         ...
     }
 }
+```
+
+## Blazor and shared state
+
+[!INCLUDE[](~/includes/blazor-security/blazor-shared-state.md)]

aspnetcore/includes/blazor-security/blazor-shared-state.md

@@ -0,0 +1,18 @@
+Blazor server apps live in server memory. That means that there are multiple apps hosted within the same process. For each app session, Blazor starts a circuit with its own DI container scope. That means that scoped services are unique per Blazor session.
+
+> [!WARNING]
+> We don't recommend apps on the same server share state using singleton services unless extreme care is taken, as this can introduce security vulnerabilities, such as leaking user state across circuits.
+
+You can use stateful singleton services in Blazor apps if they are specifically designed for it. For example, it's ok to use a memory cache as a singleton because it requires a key to access a given entry, assuming users don't have control of what cache keys are used.
+
+**Additionally, again for security reasons, you must not use <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> within Blazor apps.** Blazor apps run outside of the context of the ASP.NET Core pipeline and the <xref:Microsoft.AspNetCore.Http.HttpContext> isn't guaranteed to be available within the <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor>, nor it is guaranteed to be holding the context that started the Blazor app.
+
+The recommended way to pass request state to the Blazor app is through parameters to the root component in the initial rendering of the app:
+
+* Define a class with all the data you want to pass to the Blazor app.
+* Populate that data from the Razor page using the <xref:Microsoft.AspNetCore.Http.HttpContext> available at that time.
+* Pass the data to the Blazor app as a parameter to the root component (App).
+* Define a parameter in the root component to hold the data being passed to the app.
+* Use the user-specific data within the app; or alternatively, copy that data into a scoped service within <xref:Microsoft.AspNetCore.Components.ComponentBase.OnInitializedAsync%2A> so that it can be used across the app.
+
+For more information and example code, see <xref:security/blazor/server/additional-scenarios#pass-tokens-to-a-blazor-server-app>.

aspnetcore/security/blazor/server/threat-mitigation.md

@@ -24,6 +24,10 @@ In constrained environments, such as inside corporate networks or intranets, som
 * Doesn't apply in the constrained environment.
 * Isn't worth the cost to implement because the security risk is low in a constrained environment.
 
+## Blazor and shared state
+
+[!INCLUDE[](~/includes/blazor-security/blazor-shared-state.md)]
+
 ## Resource exhaustion
 
 Resource exhaustion can occur when a client interacts with the server and causes the server to consume excessive resources. Excessive resource consumption primarily affects: