Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
3385a02
[11.0 P6] Blazor Preview 6 coverage
guardrex Jul 8, 2026
ad5066e
Updates
guardrex Jul 8, 2026
06572b4
Updates
guardrex Jul 9, 2026
0709fa6
Apply suggestions from code review
guardrex Jul 9, 2026
3f0aa0d
Updates
guardrex Jul 9, 2026
9da4ca3
Updates
guardrex Jul 10, 2026
87a326a
Updates
guardrex Jul 10, 2026
5716816
Updates
guardrex Jul 10, 2026
f5aec5b
Apply suggestions from code review
guardrex Jul 10, 2026
6c107c8
EnvironmentBoundary renamed to EnvironmentView
guardrex Jul 13, 2026
559bda5
GetUriWithHash renamed to GetUriWithFragment
guardrex Jul 13, 2026
fc74348
Rename disableDomPreservation to preserveDom (with opposite meaning)
guardrex Jul 13, 2026
813cd55
Fixes to TempData and `[SupplyParameterFromSession]` persistence for …
guardrex Jul 13, 2026
8515716
Virtualization: Content Security Policy (CSP) compliance
guardrex Jul 13, 2026
ade5f55
Redundant `app.UseAntiforgery()` removed from Blazor Web templates
guardrex Jul 13, 2026
ff16f4f
Preloading and enhanced nav -AND- automatic CSRF middleware
guardrex Jul 13, 2026
8181f9a
Updates
guardrex Jul 13, 2026
e93e34e
Apply suggestions from code review
guardrex Jul 13, 2026
2871d6f
Updates
guardrex Jul 13, 2026
cd5340e
React to Virtualize CSP feedback
guardrex Jul 14, 2026
0b22693
Updates
guardrex Jul 14, 2026
e15f308
Updates
guardrex Jul 14, 2026
f8d9161
Updates
guardrex Jul 14, 2026
6056a9e
Reverting blazor/fundamentals/startup.md changes
guardrex Jul 14, 2026
71c2b83
Configure Blazor client behavior from the server
guardrex Jul 14, 2026
c6bd135
Move the Configure Blazor client behavior from the server section UP
guardrex Jul 14, 2026
2b72e4a
Add Blazor Virtualize can scroll to an item to What's New coverage
guardrex Jul 14, 2026
0cb5bb0
Updates to BWA template change for antiforgery
guardrex Jul 14, 2026
64b7044
Union coverage updates
guardrex Jul 14, 2026
a48d605
React to feedback
guardrex Jul 14, 2026
7c5615b
Add additional CSRF/antiforgery middleware coverage
guardrex Jul 15, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 93 additions & 1 deletion aspnetcore/blazor/components/dynamiccomponent.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
---
title: Dynamically-rendered ASP.NET Core Razor components
ai-usage: ai-assisted
author: guardrex
description: Learn how to use dynamically-rendered Razor components in Blazor apps.
monikerRange: '>= aspnetcore-6.0'
ms.author: wpickett
ms.custom: mvc
ms.date: 11/11/2025
ms.date: 07/14/2026
uid: blazor/components/dynamiccomponent
---
# Dynamically-rendered ASP.NET Core Razor components
Expand Down Expand Up @@ -252,6 +253,97 @@ In the following example:

:::moniker-end

:::moniker range=">= aspnetcore-11.0"

Dictionary values for [C# union-typed parameters](/dotnet/csharp/language-reference/builtin-types/union) must be boxed as the union, not the raw case value, because an implicit conversion is only valid at compile-time.

<!-- UPDATE 11.0 - Remove the NOTE at GA -->

> [!NOTE]
> During the preview of .NET 11, the following example requires the app's project file to specify the "`preview`" C# language version:
>
> ```xml
> <LangVersion>preview</LangVersion>
> ```

Consider the following C# union type, `SlotContent`, that accepts text, a <xref:Microsoft.AspNetCore.Components.MarkupString>, or a <xref:Microsoft.AspNetCore.Components.RenderFragment>:

```csharp
using Microsoft.AspNetCore.Components;

public union SlotContent(string, MarkupString, RenderFragment);
```

The following `Slot` component exposes a component parameter typed to the `SlotContent` union and renders the union's content using two implementations of the [C# `switch` expression](/dotnet/csharp/language-reference/operators/switch-expression), one through an assignment to a <xref:Microsoft.AspNetCore.Components.RenderFragment> (`ContentSwitch`) and one via an inline `switch` expression. In the following example, the [`[EditorRequired]` attribute](xref:Microsoft.AspNetCore.Components.EditorRequiredAttribute) specifies that `Content` is a required component parameter at design-time or build-time.

`Slot.razor`:

```razor
<h2><code>ContentSwitch</code></h2>

<div>
@ContentSwitch()
</div>

<h2>Inline <code>switch</code> expression</h2>

<div>
@switch (Content)
{
case string text:
@text
break;
case MarkupString html:
@html
break;
case RenderFragment fragment:
@fragment
break;
default:
<em>Empty slot!</em>
break;
}
</div>

@code {
[Parameter, EditorRequired]
public SlotContent Content { get; set; }

private RenderFragment ContentSwitch() => Content switch
{
string text => @<span>@text</span>,
MarkupString html => @<span>@html</span>,
RenderFragment fragment => fragment,
_ => @<em>Empty slot!</em>
};
}
```

To box the union, wrap the raw value explicitly into the union wrapper type (`new SlotContent(...)`), as the following example demonstrates.

`SlotTest2.razor`:

```razor
@page "/slot-test-2"

<DynamicComponent Type="@TargetComponent" Parameters="@ValidParameters" />

@code {
[Parameter]
public Type TargetComponent { get; set; } = typeof(Slot);

[Parameter]
public string RawTextPayload { get; set; } = "Hello from dynamic data!";

private Dictionary<string, object> ValidParameters => new()
{
{ "Content", new SlotContent(RawTextPayload) }
};
}
```

:::moniker-end

## Event callbacks (`EventCallback`)

Event callbacks (<xref:Microsoft.AspNetCore.Components.EventCallback>) can be passed to a <xref:Microsoft.AspNetCore.Components.DynamicComponent> in its parameter dictionary.
Expand Down
132 changes: 123 additions & 9 deletions aspnetcore/blazor/components/index.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
---
title: ASP.NET Core Razor components
ai-usage: ai-assisted
author: guardrex
description: Learn how to create and use Razor components in Blazor apps, including guidance on Razor syntax, component naming, namespaces, and component parameters.
monikerRange: '>= aspnetcore-3.1'
ms.author: wpickett
ms.custom: mvc
ms.date: 06/24/2026
ms.date: 07/14/2026
uid: blazor/components/index
---
# ASP.NET Core Razor components
Expand Down Expand Up @@ -850,14 +851,6 @@ Assign a C# field, property, or result of a method to a component parameter as a

If the component parameter is of type string, then the attribute value is instead treated as a C# string literal. If you want to specify a C# expression instead, then use the `@` prefix.

:::moniker range=">= aspnetcore-11.0"

<!-- UPDATE 11.0 - Remove the following paragraph per resolution of the PU issue -->

The string-literal shortcut applies only to parameters declared as `string`. A parameter declared as a [C# union type](/dotnet/csharp/whats-new/csharp-14#union-types), even one whose cases include `string`, isn't a `string`-typed parameter, so the attribute value must be a C# expression. Use the `@` prefix, for example `Message="@("Saved.")"`.

:::moniker-end

The following parent component displays four instances of the preceding `ParameterChild` component and sets their `Title` parameter values to:

* The value of the `title` field.
Expand Down Expand Up @@ -1171,6 +1164,127 @@ Quote &copy;2005 [Universal Pictures](https://www.uphe.com): [Serenity](https://

:::moniker-end

:::moniker range=">= aspnetcore-11.0"

Support for [C# union types](/dotnet/csharp/language-reference/builtin-types/union) allows a single component parameter to represent a value that's exactly one of a fixed set of types with compiler-enforced exhaustive pattern matching. A component parameter is set by direct assignment when a component is rendered from Razor markup or through <xref:Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder.AddComponentParameter%2A?displayProperty=nameWithType>.

<!-- UPDATE 11.0 - Remove the NOTE at GA -->

> [!NOTE]
> During the preview of .NET 11, the following example requires the app's project file to specify the "`preview`" C# language version:
>
> ```xml
> <LangVersion>preview</LangVersion>
> ```

The following C# union type, `SlotContent`, accepts text, a <xref:Microsoft.AspNetCore.Components.MarkupString>, or a <xref:Microsoft.AspNetCore.Components.RenderFragment>:

```csharp
using Microsoft.AspNetCore.Components;

public union SlotContent(string, MarkupString, RenderFragment);
```

The following `Slot` component exposes a component parameter typed to the `SlotContent` union and renders the union's content using two implementations of the [C# `switch` expression](/dotnet/csharp/language-reference/operators/switch-expression), one through an assignment to a <xref:Microsoft.AspNetCore.Components.RenderFragment> (`ContentSwitch`) and one via an inline `switch` expression. In the following example, the [`[EditorRequired]` attribute](xref:Microsoft.AspNetCore.Components.EditorRequiredAttribute) specifies that `Content` is a required component parameter at design-time or build-time.

`Slot.razor`:

```razor
<h2><code>ContentSwitch</code></h2>

<div>
@ContentSwitch()
</div>

<h2>Inline <code>switch</code> expression</h2>

<div>
@switch (Content)
{
case string text:
@text
break;
case MarkupString html:
@html
break;
case RenderFragment fragment:
@fragment
break;
default:
<em>Empty slot!</em>
break;
}
</div>

@code {
[Parameter, EditorRequired]
public SlotContent Content { get; set; }

private RenderFragment ContentSwitch() => Content switch
{
string text => @<span>@text</span>,
MarkupString html => @<span>@html</span>,
RenderFragment fragment => fragment,
_ => @<em>Empty slot!</em>
};
}
```

The following `SlotExample` component uses the preceding `SlotContent` type and `Slot` component.

`SlotExample.razor`:

```razor
@page "/slot-example"

<h1>Plain text</h1>

<Slot Content="@("Simple plain text slot")" />

<h1><code>MarkupString</code></h1>

<Slot Content='@((MarkupString)"<strong>Bold HTML slot</strong>")' />

<h1><code>RenderFragment</code></h1>

<Slot Content="@content" />

@code {
private SlotContent content;

protected override void OnInitialized()
{
content = new SlotContent((RenderFragment)(b =>
{
b.OpenElement(0, "button");
b.AddAttribute(1, "onclick", EventCallback.Factory.Create(this, Increment));
b.AddContent(2, "Count: ");
b.AddContent(3, currentCount);
b.CloseElement();
}));
}

private int currentCount = 0;

private void Increment() => currentCount++;
}
```

<!-- UPDATE 11.0 - Remove the following paragraph per resolution of the PU issue -->

The string-literal shortcut applies only to parameters declared as `string`. A parameter declared as a C# union type, even one whose cases include `string`, isn't a `string`-typed parameter, so the attribute value must be a C# expression. Use the `@` prefix, as demonstrated by `Content="@("Simple plain text slot")"` in the preceding example.

<!-- UPDATE 11.0 - Track on https://github.com/dotnet/razor/issues/13200 for
the following feature. -->

Populating a union-typed parameter via a [child content render fragment](#child-content-render-fragments) (`<Slot>...</Slot>`) isn't supported at this time but might be introduced in a future preview release.

<!-- UPDATE 13.0 - Remove the following cross-link when C# unions get some time on them (target removal for .NET 13) -->

For more information, see [Explore union types in C# 15](https://devblogs.microsoft.com/dotnet/csharp-15-union-types/).

:::moniker-end

## Route parameters

Components can specify route parameters in the route template of the [`@page`][9] directive. The [Blazor router](xref:blazor/fundamentals/routing) uses route parameters to populate corresponding component parameters.
Expand Down
42 changes: 41 additions & 1 deletion aspnetcore/blazor/components/virtualization.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Learn how to use component virtualization in ASP.NET Core Blazor ap
monikerRange: '>= aspnetcore-5.0'
ms.author: wpickett
ms.custom: mvc
ms.date: 11/11/2025
ms.date: 07/14/2026
uid: blazor/components/virtualization
---
# ASP.NET Core Razor component virtualization
Expand Down Expand Up @@ -365,6 +365,26 @@ If your source code looks like the following:

At runtime, the <xref:Microsoft.AspNetCore.Components.Web.Virtualization.Virtualize%601> component renders a DOM structure similar to the following:

:::moniker-end

:::moniker range=">= aspnetcore-11.0"

```html
<div style="height:500px; overflow-y:scroll" tabindex="-1">
<div data-blazor-virtualize-reserved-height="1100" aria-hidden="true"></div>
<div class="flight-info">Flight 12</div>
<div class="flight-info">Flight 13</div>
<div class="flight-info">Flight 14</div>
<div class="flight-info">Flight 15</div>
<div class="flight-info">Flight 16</div>
<div data-blazor-virtualize-reserved-height="3400" aria-hidden="true"></div>
</div>
```

:::moniker-end

:::moniker range="< aspnetcore-11.0"

```html
<div style="height:500px; overflow-y:scroll" tabindex="-1">
<div style="height:1100px"></div>
Expand All @@ -377,6 +397,10 @@ At runtime, the <xref:Microsoft.AspNetCore.Components.Web.Virtualization.Virtual
</div>
```

:::moniker-end

:::moniker range=">= aspnetcore-6.0"

The actual number of rows rendered and the size of the spacers vary according to your styling and `Items` collection size. However, notice that there are spacer `div` elements injected before and after your content. These serve two purposes:

* To provide an offset before and after your content, causing currently-visible items to appear at the correct location in the scroll range and the scroll range itself to represent the total size of all content.
Expand Down Expand Up @@ -472,3 +496,19 @@ In the preceding example, the document root is used as the scroll container, so
* <xref:blazor/components/control-head-content>

:::moniker-end

:::moniker range=">= aspnetcore-7.0"

## Content Security Policy (CSP) compliance

The `Virtualize` component renders dynamic inline `style` attributes on its spacer elements because spacer heights are calculated at runtime based on scroll position, item count, and average item size, which change on every scroll interaction.

To avoid CSP violations, render CSS height in a `data-blazor-virtualize-reserved-height` attribute instead of a `style` attribute, which makes the rendered component compatible with strict [Content Security Policy (CSP)](https://developer.mozilla.org/docs/Web/HTTP/Guides/CSP) configurations.

In the following example, the height is set to 3,400 pixels:

```razor
<div data-blazor-virtualize-reserved-height="3400" aria-hidden="true"></div>
```

:::moniker-end
43 changes: 43 additions & 0 deletions aspnetcore/blazor/forms/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -289,8 +289,51 @@ There's no need to call <xref:Microsoft.AspNetCore.Components.ComponentBase.Stat

Antiforgery services are automatically added to Blazor apps when <xref:Microsoft.Extensions.DependencyInjection.RazorComponentsServiceCollectionExtensions.AddRazorComponents%2A> is called in the `Program` file.

:::moniker-end

:::moniker range=">= aspnetcore-11.0"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what kind of info we need to put here, but maybe extend a bit with usage?

:::moniker range=">= aspnetcore-11.0"

Blazor apps are protected against Cross-Site Request Forgery (CSRF/XSRF) by two complementary mechanisms.

Automatic header-based CSRF protection middleware

Automatic CSRF protection middleware is enabled by default in apps built with WebApplication.CreateBuilder. The middleware inspects the Sec-Fetch-Site and Origin headers on unsafe HTTP methods and records a validation verdict on the request. Blazor server-side rendering (SSR) form posts enforce that verdict and return a 400 Bad Request response for cross-origin form posts that aren't trusted. No pipeline configuration is required to enable this protection.

Token-based antiforgery

Token-based antiforgery services are added to the app when xref:Microsoft.Extensions.DependencyInjection.RazorComponentsServiceCollectionExtensions.AddRazorComponents%2A is called in the Program file. However, token validation only runs when Antiforgery Middleware is explicitly added to the request processing pipeline by calling xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A.

How the two mechanisms interact

Adding token-based antiforgery doesn't replace the automatic header-based middleware. When an app calls xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A, both defense mechanisms run for a form post: the header-based CSRF protection middleware runs first and records its verdict, then Antiforgery Middleware performs token-based validation. The token-based result is authoritative and overrides the earlier header-based verdict.

To explicitly add Antiforgery Middleware, call xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A after the call to xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A. If there are calls to xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A and xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseEndpoints%2A, the call to xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A must go between them. A call to xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A must be placed after calls to xref:Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions.UseAuthentication%2A and xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A.

Disable the automatic CSRF protection middleware

To disable the automatic header-based CSRF protection middleware, set the DisableCsrfProtection configuration key to true. For example, in appsettings.json:

{
  "DisableCsrfProtection": true
}

The setting can be supplied by any configuration source, including an environment variable (DisableCsrfProtection=true).

Warning

Disabling the automatic CSRF protection middleware removes the default header-based (Sec-Fetch-Site/Origin) protection for the entire app. Only disable it if you provide an alternative CSRF defense, such as explicitly adopting token-based Antiforgery Middleware with xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A.

For more information, see xref:security/csrf-protection.

Important

The following guidance on the xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryToken component and the xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryStateProvider service only apply to an app that explicitly adopts token-based Antiforgery Middleware by calling xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A in its request processing pipeline.

:::moniker-end


Automatic Cross-Site Request Forgery (CSRF) protection middleware is enabled by default in apps built with `WebApplication.CreateBuilder`. The middleware inspects the `Sec-Fetch-Site` and `Origin` headers on unsafe HTTP methods and records a validation verdict on the request. Blazor server-side rendering (SSR) form posts enforce that verdict and return `400 Bad Request` for cross-origin form posts that aren't trusted.

Token-based antiforgery services are added to the app when <xref:Microsoft.Extensions.DependencyInjection.RazorComponentsServiceCollectionExtensions.AddRazorComponents%2A> is called in the `Program` file. However, token validation only runs when antiforgery middleware is explicitly added to the request processing pipeline by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A>.

Adding token-based antiforgery middleware doesn't replace the automatic header-based CSRF protection middleware. When an app calls <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A>, both defense mechanisms run for a form post:

* The header-based CSRF protection middleware runs first and records its verdict.
* Antiforgery middleware performs token-based validation.

The token-based result from antiforgery middleware is authoritative and overrides the earlier header-based CSRF middleware verdict.

To explicitly add Antiforgery Middleware, call <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> after the call to <xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A>. If there are calls to <xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A> and <xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseEndpoints%2A>, the call to <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> must go between them. A call to <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> must be placed after calls to <xref:Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions.UseAuthentication%2A> and <xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A>.

To disable the automatic header-based CSRF protection middleware, set the `DisableCsrfProtection` configuration key to true. For example, use the app settings file (`appsettings.json`) to disable the middleware:

```json
{
"DisableCsrfProtection": true
}
```

The the `DisableCsrfProtection` configuration setting can be supplied by any configuration source, including via an environment variable (`DisableCsrfProtection=true`).

> [!WARNING]
> Disabling the automatic CSRF protection middleware removes the default header-based (`Sec-Fetch-Site`/`Origin`) protection for the entire app. Only disable it if you provide an alternative CSRF defense, such as explicitly adopting token-based antiforgery middleware by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A>.

For more information, see <xref:security/csrf-protection>.

> [!IMPORTANT]
> The following guidance on the <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryToken> component and the <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryStateProvider> service only apply to an app that explicitly adopts token-based Antiforgery Middleware by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> in its request processing pipeline.

:::moniker-end

:::moniker range=">= aspnetcore-8.0 < aspnetcore-11.0"

The app uses Antiforgery Middleware by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> in its request processing pipeline in the `Program` file. <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> is called after the call to <xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A>. If there are calls to <xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseRouting%2A> and <xref:Microsoft.AspNetCore.Builder.EndpointRoutingApplicationBuilderExtensions.UseEndpoints%2A>, the call to <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> must go between them. A call to <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> must be placed after calls to <xref:Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions.UseAuthentication%2A> and <xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization%2A>.

:::moniker-end

:::moniker range=">= aspnetcore-8.0"

The <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryToken> component renders an antiforgery token as a hidden field, and the `[RequireAntiforgeryToken]` attribute enables antiforgery protection. If an antiforgery check fails, a [`400 - Bad Request`](https://developer.mozilla.org/docs/Web/HTTP/Status/400) response is thrown and the form isn't processed.

For forms based on <xref:Microsoft.AspNetCore.Components.Forms.EditForm>, the <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryToken> component and `[RequireAntiforgeryToken]` attribute are automatically added to provide antiforgery protection.
Expand Down
Loading
Loading