Update CSRF/antiforgery docs for deferred validation behavior#37262
Open
DeagleGross wants to merge 5 commits into
Open
Update CSRF/antiforgery docs for deferred validation behavior#37262DeagleGross wants to merge 5 commits into
DeagleGross wants to merge 5 commits into
Conversation
Reconcile the automatic CSRF protection docs with the deferred validation model where CsrfProtectionMiddleware records a verdict on IAntiforgeryValidationFeature instead of short-circuiting, and form consumers enforce it. Adds deferred-validation, token-precedence, and Blazor SSR sections, updates examples to form-based scenarios, refreshes diagnostics strings, and documents the migration breaking changes and caveats. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Document the .NET 11 breaking change where Blazor static server-side rendering defers antiforgery validation to middleware and skips token generation when no token middleware ran. Adds the breaking-changes article, indexes it in overview.md and toc.yml, and cross-links it from the CSRF reference and migration articles. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Spell out server-side-rendering in the filename to satisfy the repo filename rules, and update the overview index, toc.yml, and cross-links accordingly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Spell out the filename fully (no ssr abbreviation, no antiforgery closed compound) to clear the filename suggestion from the docs build, and update the overview index, toc.yml, and cross-links accordingly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
wadepickett
reviewed
Jun 19, 2026
wadepickett
reviewed
Jun 19, 2026
wadepickett
reviewed
Jun 19, 2026
wadepickett
reviewed
Jun 19, 2026
wadepickett
reviewed
Jun 19, 2026
wadepickett
reviewed
Jun 19, 2026
wadepickett
approved these changes
Jun 19, 2026
wadepickett
left a comment
wadepickett
left a comment
Contributor
There was a problem hiding this comment.
@DeagleGross, looks great! See the very minor items I suggested inline to consider.
Co-authored-by: Wade Pickett <wpickett@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up docs for dotnet/aspnetcore#67082 (defer antiforgery/CSRF rejection to form consumers). Keeping this as a draft — will be marked ready for review once #67082 is merged into dotnet/aspnetcore.
Summary
The merged docs for automatic CSRF protection in .NET 11 described the middleware as short-circuiting cross-origin write requests with
400. dotnet/aspnetcore#67082 changes that runtime behavior: theCsrfProtectionMiddlewarenow records its verdict on the sharedIAntiforgeryValidationFeatureand lets the request continue, and rejection is deferred to the components that consume the submitted form. This PR reconciles the docs with that model.Files changed
aspnetcore/security/csrf-protection.mdIAntiforgeryValidationFeatureand enforced only when a form consumer reads it (MVC antiforgery, minimal-API form binding, Blazor SSR, or a direct form read). Notes explicitly that JSON/non-form endpoints proceed even when the verdict is invalid.[FromForm]) endpoints so the "rejected with 400" narrative is accurate.CsrfValidationFailed, "marked request … as invalid"), and a caveat note under Disabling globally.aspnetcore/migration/antiforgery-to-csrf.mdapp.UseAntiforgery()shifts protection to the CSRF middleware and stops antiforgery token generation).DisableCsrfProtectionor non-WebApplicationhosts.Both files have
ms.datebumped and retainai-usage: ai-assisted.Internal previews