Many of the features (Dependency injection, etc) seem only to be available for ASP.Net Core. What about cross platform desktop applications? Do we have a GUI layer that is cross platform as well?
Microsoft's offering here is Xamarin Forms. If you're an application developer that's probably enough and useful. Otherwise, given that Microsoft is now a cloud and services company there doesn't seem to be much of a push for cross-platform desktop applications. Personally I'm still hoping for Avalonia to be picked up officially, but perhaps that's just me liking WPF too much and hoping in vain.
My personal opinion is that people are sleeping on local HTML apps.
Local files, if you want, make everything lightning fast. Hosting your own web-browser lets you hook into whatever you want, and handle it however you want. A local server makes hosting whatever you want simple, too. There's a pre-existing plugin and component model for serving rich content... Every knows HTML and CSS, and sharding off chunks of the app to a genuine web app is straightforward...
A well factored, MVVM, WPF should be relatively easy to port to this model, and there are mature databinding libraries to handle the plumbing...
Maybe it's just me, but I'd rather take the pain points of a known technology than another 10 years of uncertainty and no cross-platform story.
It's probably less secure by default. Make sure to reject all HTTP requests where the Origin header doesn't match the local server host, or just all request with an Origin header.
What you really need is a shared secret between (embedded) browser and (local) server.
IP, host header, origin header can be checked as defense in depth, but can't prevent local privilege escalation from non browser clients and are quite fragile even in browsers.
(or use a secure non TCP/IP based communication channel)
> but can't prevent local privilege escalation from non browser clients
That is such a different threat model though. A native app has a lot more permissions than a web page. Trying to protect one native app from another is not really done much. Like, are MS Word documents encrypted so Slack can't read them from disk?
Oh, the dependency injection definitely works independently of ASP.NET Core - it's just something frequently talked about in tandem with it. Just wrote a console app that used it a couple of days ago.
I don't know about the current status of the GUI layer, other than that I've heard plans for WPF to be ported over to .NET Core. I don't know if or when that will actually happen.
Both WPF and WinForms will be part of .NET Core 3.0. They've done a few demos of it already, and were able to port over existing apps without any changes to the code. This even worked when using third party controls like the ones you can get from Telerik. They just added references to the Telerik .dll's they already had, and everything just worked.
They'll still only run on Windows, but it's a nice option for teams that want to move their existing apps over to .NET Core and take advantage of the quicker update cycle and improved performance.
There are plans to bring WPF to .NET Core but it will still be windows only. It is being done because Microsoft wants to move all development to be on top of .NET Core.