The latest Microsoft.JSInterop and Mono.WebAssembly.Interop packages are missing the XML API doc files. These are needed to generate API docs for these libraries.

Hi guys,
I was thinking about how safe it would be to allow any call from javascript to .net functions via the JSInvokable attribute.
In a fully client environment (ie Blazor) it might not be a problem (client on client, you know it's insecure), but in Razor Components we're practically expanding the attack surface on the server (among other things without even saying it clearly).
Could it be useful to add a sort of filters to the call so that you can intercept and make it possible for the developer to block any illegitimate call?
Another alternative is to evaluate whether to use System.Security.Policy Evidence, so that calls from js run in a less secure context, but I think that it is also necessary to modify the hosting model of .net core to allow it.
I do not know, I await your considerations, maybe it's not a problem ...

I do some blazor component and want to host it as nuget package.

Mostly have methods marked as internal because they don't should be visible outside assembly.

Can't set internal to [JSInvokable] method because it requires only public.

I don't want this methods to be public accessible.