[Blazor] Emit antiforgery only when streaming, a form has been placed on the page or there are interactive render modes configured (#62653)

javiercn · web-flow · commit 47bd1c4d3864 · 2025-07-10T21:08:48.000+02:00
* Emit antiforgery only when streaming, a form has been placed on the page or there are interactive render modes configured
diff --git a/src/Components/Endpoints/src/Forms/EndpointAntiforgeryStateProvider.cs b/src/Components/Endpoints/src/Forms/EndpointAntiforgeryStateProvider.cs
@@ -10,10 +10,12 @@ namespace Microsoft.AspNetCore.Components.Endpoints.Forms;
 internal class EndpointAntiforgeryStateProvider(IAntiforgery antiforgery) : DefaultAntiforgeryStateProvider()
 {
     private HttpContext? _context;
+    private bool _canGenerateToken;
 
     internal void SetRequestContext(HttpContext context)
     {
         _context = context;
+        _canGenerateToken = true;
     }
 
     public override AntiforgeryRequestToken? GetAntiforgeryToken()
@@ -24,17 +26,23 @@ internal void SetRequestContext(HttpContext context)
             return _currentToken;
         }
 
-        // We already have a callback setup to generate the token when the response starts if needed.
-        // If we need the tokens before we start streaming the response, we'll generate and store them;
-        // otherwise we'll just retrieve them.
-        // In case there are no tokens available, we are going to return null and no-op.
-        var tokens = !_context.Response.HasStarted ? antiforgery.GetAndStoreTokens(_context) : antiforgery.GetTokens(_context);
-        if (tokens.RequestToken is null)
+        if (_currentToken == null && _canGenerateToken)
         {
-            return null;
+            // We already have a callback setup to generate the token when the response starts if needed.
+            // If we need the tokens before we start streaming the response, we'll generate and store them;
+            // otherwise we'll just retrieve them.
+            // In case there are no tokens available, we are going to return null and no-op.
+            var tokens = !_context.Response.HasStarted ? antiforgery.GetAndStoreTokens(_context) : antiforgery.GetTokens(_context);
+            if (tokens.RequestToken is null)
+            {
+                return null;
+            }
+
+            _currentToken = new AntiforgeryRequestToken(tokens.RequestToken, tokens.FormFieldName);
         }
 
-        _currentToken = new AntiforgeryRequestToken(tokens.RequestToken, tokens.FormFieldName);
         return _currentToken;
     }
+
+    internal void DisableTokenGeneration() => _canGenerateToken = false;
 }
diff --git a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
@@ -6,7 +6,9 @@
 using System.Text;
 using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Components.Endpoints.Forms;
 using Microsoft.AspNetCore.Components.Endpoints.Rendering;
+using Microsoft.AspNetCore.Components.Forms;
 using Microsoft.AspNetCore.Components.Infrastructure;
 using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.Http;
@@ -76,14 +78,6 @@ private async Task RenderComponentCore(HttpContext context)
             return;
         }
 
-        context.Response.OnStarting(() =>
-        {
-            // Generate the antiforgery tokens before we start streaming the response, as it needs
-            // to set the cookie header.
-            antiforgery!.GetAndStoreTokens(context);
-            return Task.CompletedTask;
-        });
-
         if (httpActivityContext != default)
         {
             _activityLinkStore.SetActivityContext(ComponentsActivityLinkStore.Http, httpActivityContext, null);
@@ -143,8 +137,17 @@ await _renderer.InitializeStandardComponentServicesAsync(
             var bufferingFeature = context.Features.GetRequiredFeature<IHttpResponseBodyFeature>();
             bufferingFeature.DisableBuffering();
 
+            // Store the tokens if not emitted already in case we stream a form in the response.
+            antiforgery!.GetAndStoreTokens(context);
+
             context.Response.Headers.ContentEncoding = "identity";
         }
+        else if (endpoint.Metadata.GetMetadata<ConfiguredRenderModesMetadata>()?.ConfiguredRenderModes.Length == 0)
+        {
+            // Disable token generation on EndpointAntiforgeryStateProvider if we are not streaming.
+            var provider = (EndpointAntiforgeryStateProvider)context.RequestServices.GetRequiredService<AntiforgeryStateProvider>();
+            provider.DisableTokenGeneration();
+        }
 
         // Importantly, we must not yield this thread (which holds exclusive access to the renderer sync context)
         // in between the first call to htmlContent.WriteTo and the point where we start listening for subsequent

Original file line number	Diff line number	Diff line change
`@@ -10,10 +10,12 @@ namespace Microsoft.AspNetCore.Components.Endpoints.Forms;`
`10`	`10`	`internal class EndpointAntiforgeryStateProvider(IAntiforgery antiforgery) : DefaultAntiforgeryStateProvider()`
`11`	`11`	`{`
`12`	`12`	`private HttpContext? _context;`
	`13`	`+ private bool _canGenerateToken;`
`13`	`14`
`14`	`15`	`internal void SetRequestContext(HttpContext context)`
`15`	`16`	`{`
`16`	`17`	`_context = context;`
	`18`	`+ _canGenerateToken = true;`
`17`	`19`	`}`
`18`	`20`
`19`	`21`	`public override AntiforgeryRequestToken? GetAntiforgeryToken()`
`@@ -24,17 +26,23 @@ internal void SetRequestContext(HttpContext context)`
`24`	`26`	`return _currentToken;`
`25`	`27`	`}`
`26`	`28`
`27`		`- // We already have a callback setup to generate the token when the response starts if needed.`
`28`		`- // If we need the tokens before we start streaming the response, we'll generate and store them;`
`29`		`- // otherwise we'll just retrieve them.`
`30`		`- // In case there are no tokens available, we are going to return null and no-op.`
`31`		`- var tokens = !_context.Response.HasStarted ? antiforgery.GetAndStoreTokens(_context) : antiforgery.GetTokens(_context);`
`32`		`- if (tokens.RequestToken is null)`
	`29`	`+ if (_currentToken == null && _canGenerateToken)`
`33`	`30`	`{`
`34`		`- return null;`
	`31`	`+ // We already have a callback setup to generate the token when the response starts if needed.`
	`32`	`+ // If we need the tokens before we start streaming the response, we'll generate and store them;`
	`33`	`+ // otherwise we'll just retrieve them.`
	`34`	`+ // In case there are no tokens available, we are going to return null and no-op.`
	`35`	`+ var tokens = !_context.Response.HasStarted ? antiforgery.GetAndStoreTokens(_context) : antiforgery.GetTokens(_context);`
	`36`	`+ if (tokens.RequestToken is null)`
	`37`	`+ {`
	`38`	`+ return null;`
	`39`	`+ }`
	`40`	`+`
	`41`	`+ _currentToken = new AntiforgeryRequestToken(tokens.RequestToken, tokens.FormFieldName);`
`35`	`42`	`}`
`36`	`43`
`37`		`- _currentToken = new AntiforgeryRequestToken(tokens.RequestToken, tokens.FormFieldName);`
`38`	`44`	`return _currentToken;`
`39`	`45`	`}`
	`46`	`+`
	`47`	`+ internal void DisableTokenGeneration() => _canGenerateToken = false;`
`40`	`48`	`}`