-
Notifications
You must be signed in to change notification settings - Fork 24.7k
[11.0 P6] Blazor Preview 6 coverage #37322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+538
−58
Merged
Changes from all commits
Commits
Show all changes
31 commits
Select commit
Hold shift + click to select a range
3385a02
[11.0 P6] Blazor Preview 6 coverage
guardrex ad5066e
Updates
guardrex 06572b4
Updates
guardrex 0709fa6
Apply suggestions from code review
guardrex 3f0aa0d
Updates
guardrex 9da4ca3
Updates
guardrex 87a326a
Updates
guardrex 5716816
Updates
guardrex f5aec5b
Apply suggestions from code review
guardrex 6c107c8
EnvironmentBoundary renamed to EnvironmentView
guardrex 559bda5
GetUriWithHash renamed to GetUriWithFragment
guardrex fc74348
Rename disableDomPreservation to preserveDom (with opposite meaning)
guardrex 813cd55
Fixes to TempData and `[SupplyParameterFromSession]` persistence for …
guardrex 8515716
Virtualization: Content Security Policy (CSP) compliance
guardrex ade5f55
Redundant `app.UseAntiforgery()` removed from Blazor Web templates
guardrex ff16f4f
Preloading and enhanced nav -AND- automatic CSRF middleware
guardrex 8181f9a
Updates
guardrex e93e34e
Apply suggestions from code review
guardrex 2871d6f
Updates
guardrex cd5340e
React to Virtualize CSP feedback
guardrex 0b22693
Updates
guardrex e15f308
Updates
guardrex f8d9161
Updates
guardrex 6056a9e
Reverting blazor/fundamentals/startup.md changes
guardrex 71c2b83
Configure Blazor client behavior from the server
guardrex c6bd135
Move the Configure Blazor client behavior from the server section UP
guardrex 2b72e4a
Add Blazor Virtualize can scroll to an item to What's New coverage
guardrex 0cb5bb0
Updates to BWA template change for antiforgery
guardrex 64b7044
Union coverage updates
guardrex a48d605
React to feedback
guardrex 7c5615b
Add additional CSRF/antiforgery middleware coverage
guardrex File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what kind of info we need to put here, but maybe extend a bit with usage?
:::moniker range=">= aspnetcore-11.0"
Blazor apps are protected against Cross-Site Request Forgery (CSRF/XSRF) by two complementary mechanisms.
Automatic header-based CSRF protection middleware
Automatic CSRF protection middleware is enabled by default in apps built with
WebApplication.CreateBuilder. The middleware inspects theSec-Fetch-SiteandOriginheaders on unsafe HTTP methods and records a validation verdict on the request. Blazor server-side rendering (SSR) form posts enforce that verdict and return a400 Bad Requestresponse for cross-origin form posts that aren't trusted. No pipeline configuration is required to enable this protection.Token-based antiforgery
Token-based antiforgery services are added to the app when xref:Microsoft.Extensions.DependencyInjection.RazorComponentsServiceCollectionExtensions.AddRazorComponents%2A is called in the
Programfile. However, token validation only runs when Antiforgery Middleware is explicitly added to the request processing pipeline by calling xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A.How the two mechanisms interact
Adding token-based antiforgery doesn't replace the automatic header-based middleware. When an app calls xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A, both defense mechanisms run for a form post: the header-based CSRF protection middleware runs first and records its verdict, then Antiforgery Middleware performs token-based validation. The token-based result is authoritative and overrides the earlier header-based verdict.
To explicitly add Antiforgery Middleware, call xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A after the call to xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A. If there are calls to xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A and xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseEndpoints%2A, the call to xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A must go between them. A call to xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A must be placed after calls to xref:Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions.UseAuthentication%2A and xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A.
Disable the automatic CSRF protection middleware
To disable the automatic header-based CSRF protection middleware, set the
DisableCsrfProtectionconfiguration key totrue. For example, inappsettings.json:{ "DisableCsrfProtection": true }The setting can be supplied by any configuration source, including an environment variable (
DisableCsrfProtection=true).Warning
Disabling the automatic CSRF protection middleware removes the default header-based (
Sec-Fetch-Site/Origin) protection for the entire app. Only disable it if you provide an alternative CSRF defense, such as explicitly adopting token-based Antiforgery Middleware with xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A.For more information, see xref:security/csrf-protection.
Important
The following guidance on the xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryToken component and the xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryStateProvider service only apply to an app that explicitly adopts token-based Antiforgery Middleware by calling xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A in its request processing pipeline.
:::moniker-end