-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Blazor] Add support for antiforgery #49108
Conversation
60a7bf9
to
6ad2c32
Compare
@@ -175,6 +175,11 @@ public void AddAttribute(int sequence, string name) | |||
throw new InvalidOperationException($"Valueless attributes may only be added immediately after frames of type {RenderTreeFrameType.Element}"); | |||
} | |||
|
|||
if (TrackNamedEventHandlers && string.Equals(name, "@onsubmit:name", StringComparison.Ordinal)) | |||
{ | |||
_entries.AppendAttribute(sequence, name, ""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the idea that people would write <... @onsubmit:name>
with no value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can do no value, but more commonly you would do @onsubmit:name=""
which gets translated to true
, which is what this code avoids. Once the directive for the razor compiler is in, this will just be SetEventHandlerName
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
The only remaining thing is an idea that, since AntiforgeryStateProvider
only uses PersistentComponentState
as an internal implementation detail, it would be ideal not to couple the public API to that. For example, AntiforgeryStateProvider
itself could be reduced to an abstract base class or interface that only describes the public API, and then we could have a shared-source DefaultAntiforgeryStateProvider
that uses PersistentComponentState
and is used in WebAssembly and in Endpoints.
I don't want to hold up your PR with this though. If you feel inclined to do that, that's great. If not, would you be OK with me doing that as a follow-up afterwards? The point is just to keep the public API as lean as it can be, and give us flexibility to change the set of services this depends on over time.
That's absolutely fine, I was trying to avoid the need for an additional abstraction, but your point is fair and I don't feel strongly about it. I'll update the PR to change it. |
47475e2
to
b69673c
Compare
Co-authored-by: Steve Sanderson <SteveSandersonMS@users.noreply.github.com>
fb3cf3a
to
bf09a17
Compare
IAntiforgeryMetadata
interface to describe the antiforgery requirement.RequireAntiforgeryToken
attribute to require antiforgery.RequireAntiforgeryToken
to all razor component endpoints.AntiforgeryTokenStateProvider
service that retrieves and renders the antiforgery token for the app.AntiforgeryToken
component that renders the request antiforgery token as a hidden field.EditForm
automatically render theAntiforgeryToken
when inside of a form binding context.