Remove redundant app.UseAntiforgery() from Blazor Web templates#563
Closed
DeagleGross wants to merge 1 commit into
Closed
Remove redundant app.UseAntiforgery() from Blazor Web templates#563DeagleGross wants to merge 1 commit into
DeagleGross wants to merge 1 commit into
Conversation
Both Program.cs (top-level) and Program.Main.cs variants of the BlazorWeb-CSharp template no longer need the explicit call: CsrfProtectionMiddleware (auto-injected by WebApplication) handles cross-site request protection via Sec-Fetch-Site/Origin, and the Razor Components endpoint invoker no longer self-validates token-based antiforgery when the new CSRF middleware ran. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes the explicit
app.UseAntiforgery();call from the twoProgram.csvariants of theBlazorWeb-CSharptemplate. The call is now redundant in Blazor apps for two reasons:CsrfProtectionMiddleware(auto-injected byWebApplication.CreateBuildersince Implement Cross-Site Request Forgery Algorithm based on Fetch Metadata headers dotnet/aspnetcore#66585) blocks cross-site state-changing requests viaSec-Fetch-Site/Originheaders — covering the protection thatUseAntiforgery()was previously providing for Blazor form posts in the template.dmkorolev/csrf-in-blazor, PR [breaking] Defer antiforgery/CSRF rejection to form consumers viaIAntiforgeryValidationFeaturedotnet/aspnetcore#67082). The token-generation side is also gated on the legacy AF middleware actually running, so omittingUseAntiforgery()is internally consistent.Files changed
src/ProjectTemplates/Web.ProjectTemplates/content/BlazorWeb-CSharp/BlazorWebCSharp.1/Program.cssrc/ProjectTemplates/Web.ProjectTemplates/content/BlazorWeb-CSharp/BlazorWebCSharp.1/Program.Main.csMain-styleEach file: 2 deletions (the
app.UseAntiforgery();line plus the now-orphan blank line below it).Scope notes
A full-tree
grep "UseAntiforgery"confirmed these are the only templates that call the method. No MVC, Razor Pages, Web API, or other Web templates touch antiforgery. Test assets and framework source intentionally left alone. In-tree samples (src/Components/Samples/BlazorUnitedApp/Program.cs,src/Identity/samples/IdentitySample.PasskeyUI/Program.cs) were initially included but reverted — the equivalent cleanup for sample apps belongs indotnet/AspNetCore.Docs.Samples, not here.grep "Antiforgery" src/ProjectTemplates/test/returns zero matches, so no snapshot/baseline test needs updating.Verification
dotnet build src/ProjectTemplates/Web.ProjectTemplates/Microsoft.DotNet.Web.ProjectTemplates.csproj→ 0 errors / 0 warnings.src/ProjectTemplatesconfirms noUseAntiforgeryreferences remain in template content.Companion PRs
dmkorolev/csrf-in-blazor(PR [breaking] Defer antiforgery/CSRF rejection to form consumers viaIAntiforgeryValidationFeaturedotnet/aspnetcore#67082) — the Razor Components endpoint invoker noop work that makes this safe.CsrfProtectionMiddlewareintoWebApplication.Stacked PR; merge after PR dotnet#67082.