Merge pull request #34566 from dotnet/main

Rick-Anderson · web-flow · commit b3331ccd2742 · 2025-01-27T15:58:19.000-10:00
Merge to Live
diff --git a/aspnetcore/blazor/host-and-deploy/index.md b/aspnetcore/blazor/host-and-deploy/index.md
@@ -196,7 +196,7 @@ To provide configuration for the Blazor app's base path of `https://www.contoso.
 
 By configuring the app base path, a component that isn't in the root directory can construct URLs relative to the app's root path. Components at different levels of the directory structure can build links to other resources at locations throughout the app. The app base path is also used to intercept selected hyperlinks where the `href` target of the link is within the app base path URI space. The <xref:Microsoft.AspNetCore.Components.Routing.Router> component handles the internal navigation.
 
-Place the the `<base>` tag in `<head>` markup ([location of `<head>` content](xref:blazor/project-structure#location-of-head-and-body-content)) before any elements with attribute values that are URLs, such as the `href` attributes of `<link>` elements.
+Place the `<base>` tag in `<head>` markup ([location of `<head>` content](xref:blazor/project-structure#location-of-head-and-body-content)) before any elements with attribute values that are URLs, such as the `href` attributes of `<link>` elements.
 
 :::moniker range=">= aspnetcore-8.0"
 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -51,7 +51,7 @@ Add a package reference to the client project for the [`Net.Codecrete.QrCodeGene
 
 Set the site name in the app settings file of the client project. Use a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
 
-In the following example, the the company name is `Weyland-Yutani Corporation` (&copy;1986 20th Century Studios [*Aliens*](https://www.20thcenturystudios.com/movies/aliens)).
+In the following example, the company name is `Weyland-Yutani Corporation` (&copy;1986 20th Century Studios [*Aliens*](https://www.20thcenturystudios.com/movies/aliens)).
 
 Added to `wwwroot/appsettings.json`:
 
@@ -858,7 +858,7 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 }
 ```
 
-## Link to the the Manage 2FA page
+## Link to the Manage 2FA page
 
 Add a link to the navigation menu for users to reach the `Manage2fa` component page.
 
diff --git a/aspnetcore/blazor/tutorials/movie-database-app/part-4.md b/aspnetcore/blazor/tutorials/movie-database-app/part-4.md
@@ -265,7 +265,7 @@ Navigate to the movies `Index` page to see the seeded movies:
 
 ## Bind a form to a model
 
-Review the the `Edit` component (`Components/Pages/MoviePages/Edit.razor`).
+Review the `Edit` component (`Components/Pages/MoviePages/Edit.razor`).
 
 When an HTTP GET request is made for the `Edit` component page (for example at the relative URL: `/movies/edit?id=6`):
 
diff --git a/aspnetcore/diagnostics/asp0028.md b/aspnetcore/diagnostics/asp0028.md
@@ -21,7 +21,7 @@ On the server machine that supports `IPv6`, [IPv6Any](/dotnet/api/system.net.ipa
 
 `127.0.0.1` is the IPv4 loopback address. `::1` is the IPv6 loopback address. `Any` is the wildcard address for IPv4. `IPv6Any` is the wildcard address for IPv6.
 
-Current behavior with with IPv6 when using  HTTP/1.x or HTTP/2.0:
+Current behavior with IPv6 when using  HTTP/1.x or HTTP/2.0:
 
 * `localhost` resolves to `[::1]`.
 * `[::1]` isn't accepted by the server, which forces a retry using `127.0.0.1`, creating a repeated cycle.
diff --git a/aspnetcore/fundamentals/openapi/aspnetcore-openapi.md b/aspnetcore/fundamentals/openapi/aspnetcore-openapi.md
@@ -5,7 +5,7 @@ description: Learn how to generate and customize OpenAPI documents in an ASP.NET
 ms.author: safia
 monikerRange: '>= aspnetcore-6.0'
 ms.custom: mvc
-ms.date: 12/11/2024
+ms.date: 01/23/2025
 uid: fundamentals/openapi/aspnetcore-openapi
 ---
 # Generate OpenAPI documents
@@ -48,7 +48,7 @@ The following code:
 * Adds OpenAPI services using the <xref:Microsoft.Extensions.DependencyInjection.OpenApiServiceCollectionExtensions.AddOpenApi%2A> extension method on the app builder's service collection.
 * Maps an endpoint for viewing the OpenAPI document in JSON format with the <xref:Microsoft.AspNetCore.Builder.OpenApiEndpointRouteBuilderExtensions.MapOpenApi%2A> extension method on the app.
 
-[!code-csharp[](~/fundamentals/openapi/samples/9.x/WebMinOpenApi/Program.cs?name=snippet_first&highlight=3,7)]
+[!code-csharp[](~/fundamentals/openapi/samples/9.x/WebMinOpenApi/Program.cs?name=snippet_first&highlight=3,9)]
 
 Launch the app and navigate to `https://localhost:<port>/openapi/v1.json` to view the generated OpenAPI document.
 
diff --git a/aspnetcore/fundamentals/openapi/samples/9.x/WebMinOpenApi/Program.cs b/aspnetcore/fundamentals/openapi/samples/9.x/WebMinOpenApi/Program.cs
@@ -3,7 +3,6 @@
 //#define DOCUMENTtransformer1
 //#define DOCUMENTtransformer2
 #define DOCUMENTtransformerUse999
-//#define DEFAULT
 //#define FIRST
 //#define OPENAPIWITHSCALAR
 //#define MAPOPENAPIWITHCACHING
@@ -80,7 +79,10 @@ internal record WeatherForecast(DateTime Date, int TemperatureC, string? Summary
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/", () => "Hello world!");
 
@@ -107,7 +109,10 @@ internal record WeatherForecast(DateTime Date, int TemperatureC, string? Summary
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/", () => "Hello world!");
 
@@ -161,7 +166,10 @@ public async Task TransformAsync(OpenApiDocument document, OpenApiDocumentTransf
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/", () => "Hello world!");
 
@@ -189,7 +197,10 @@ public async Task TransformAsync(OpenApiDocument document, OpenApiDocumentTransf
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/world", () => "Hello world!")
     .WithGroupName("internal");
@@ -253,7 +264,10 @@ public async Task TransformAsync(OpenApiDocument document, OpenApiDocumentTransf
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/", () => new Body { Amount = 1.1m });
 
@@ -279,9 +293,10 @@ public class Body {
 
 var app = builder.Build();
 
-app.MapOpenApi();
 if (app.Environment.IsDevelopment())
 {
+    app.MapOpenApi();
+    
     app.UseSwaggerUI(options =>
     {
         options.SwaggerEndpoint("/openapi/v1.json", "v1");
@@ -342,8 +357,11 @@ public class Body {
 
 app.UseOutputCache();
 
-app.MapOpenApi()
-    .CacheOutput();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi()
+        .CacheOutput();
+}
 
 app.MapGet("/", () => "Hello world!");
 
@@ -365,10 +383,9 @@ public class Body {
 
 var app = builder.Build();
 
-app.MapOpenApi();
-
 if (app.Environment.IsDevelopment())
 {
+    app.MapOpenApi();
     app.MapScalarApiReference();
 }
 
@@ -386,7 +403,10 @@ public class Body {
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/", () => "Hello world!");
 
@@ -419,7 +439,10 @@ public class Body {
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/", () => "Hello world!");
 
@@ -473,7 +496,10 @@ public Task TransformAsync(OpenApiSchema schema, OpenApiSchemaTransformerContext
 
 var app = builder.Build();
 
-app.MapOpenApi();
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
 
 app.MapGet("/", () => "Hello world!");
 
diff --git a/aspnetcore/grpc/index.md b/aspnetcore/grpc/index.md
@@ -4,7 +4,7 @@ author: jamesnk
 description: Learn about gRPC services with Kestrel server and the ASP.NET Core stack.
 monikerRange: '>= aspnetcore-3.0'
 ms.author: wpickett
-ms.date: 09/28/2021
+ms.date: 01/24/2024
 uid: grpc/index
 ---
 # Overview for gRPC on .NET
diff --git a/aspnetcore/security/anti-request-forgery.md b/aspnetcore/security/anti-request-forgery.md
@@ -40,7 +40,7 @@ In addition to the scenario where the user selects the button to submit the form
 
 These alternative scenarios don't require any action or input from the user other than initially visiting the malicious site.
 
-Using HTTPS doesn't prevent a CSRF attack. The malicious site can send an `https://www.good-banking-site.com/` request as easily as it can send an insecure request.
+Using HTTPS doesn't prevent a CSRF attack. The malicious site can send `https://www.good-banking-site.example.com/` a request just as easily as it can send an insecure request.
 
 Some attacks target endpoints that respond to GET requests, in which case an image tag can be used to perform the action. This form of attack is common on forum sites that permit images but block JavaScript. Apps that change state on GET requests, where variables or resources are altered, are vulnerable to malicious attacks. **GET requests that change state are insecure. A best practice is to never change state on a GET request.**
 
@@ -359,7 +359,7 @@ In addition to the scenario where the user selects the button to submit the form
 
 These alternative scenarios don't require any action or input from the user other than initially visiting the malicious site.
 
-Using HTTPS doesn't prevent a CSRF attack. The malicious site can send an `https://www.good-banking-site.com/` request just as easily as it can send an insecure request.
+Using HTTPS doesn't prevent a CSRF attack. The malicious site can send `https://www.good-banking-site.example.com/` a request just as easily as it can send an insecure request.
 
 Some attacks target endpoints that respond to GET requests, in which case an image tag can be used to perform the action. This form of attack is common on forum sites that permit images but block JavaScript. Apps that change state on GET requests, where variables or resources are altered, are vulnerable to malicious attacks. **GET requests that change state are insecure. A best practice is to never change state on a GET request.**
 
@@ -635,7 +635,7 @@ In addition to the scenario where the user selects the button to submit the form
 
 These alternative scenarios don't require any action or input from the user other than initially visiting the malicious site.
 
-Using HTTPS doesn't prevent a CSRF attack. The malicious site can send an `https://www.good-banking-site.com/` request just as easily as it can send an insecure request.
+Using HTTPS doesn't prevent a CSRF attack. The malicious site can send `https://www.good-banking-site.example.com/` a request just as easily as it can send an insecure request.
 
 Some attacks target endpoints that respond to GET requests, in which case an image tag can be used to perform the action. This form of attack is common on forum sites that permit images but block JavaScript. Apps that change state on GET requests, where variables or resources are altered, are vulnerable to malicious attacks. **GET requests that change state are insecure. A best practice is to never change state on a GET request.**
 
@@ -887,7 +887,7 @@ In addition to the scenario where the user selects the button to submit the form
 
 These alternative scenarios don't require any action or input from the user other than initially visiting the malicious site.
 
-Using HTTPS doesn't prevent a CSRF attack. The malicious site can send an `https://www.good-banking-site.com/` request just as easily as it can send an insecure request.
+Using HTTPS doesn't prevent a CSRF attack. The malicious site can send `https://www.good-banking-site.example.com/` a request just as easily as it can send an insecure request.
 
 Some attacks target endpoints that respond to GET requests, in which case an image tag can be used to perform the action. This form of attack is common on forum sites that permit images but block JavaScript. Apps that change state on GET requests, where variables or resources are altered, are vulnerable to malicious attacks. **GET requests that change state are insecure. A best practice is to never change state on a GET request.**
 
diff --git a/aspnetcore/security/anti-request-forgery/samples_snapshot/vulnerable-form.html b/aspnetcore/security/anti-request-forgery/samples_snapshot/vulnerable-form.html
@@ -1,5 +1,5 @@
 <h1>Congratulations! You're a Winner!</h1>
-<form action="https://good-banking-site.com/api/account" method="post">
+<form action="https://www.good-banking-site.example.com/api/account" method="post">
     <input type="hidden" name="Transaction" value="withdraw" />
     <input type="hidden" name="Amount" value="1000000" />
     <input type="submit" value="Click to collect your prize!" />
diff --git a/aspnetcore/security/authorization/roles.md b/aspnetcore/security/authorization/roles.md
@@ -138,8 +138,8 @@ If multiple attributes are applied at the controller and action levels, ***all**
 
 In the preceding `ControlAllPanelController` controller:
 
-* Members of the `Administrator` role or the `PowerUser` role can access the controller and the `SetTime` action.
-* Only members of the `Administrator` role can access the `ShutDown` action.
+* Members of the `Administrator` role can access the controller and the `SetTime` action.
+* Only members of the `Administrator` **and** the `PowerUser` role can access the `ShutDown` action.
 
 You can also lock down a controller but allow anonymous, unauthenticated access to individual actions.
 
diff --git a/aspnetcore/security/index.md b/aspnetcore/security/index.md
@@ -47,7 +47,7 @@ There are more vulnerabilities that you should be aware of. For more information
 
 ## Secure authentication flows
 
-We recommend using the most secure secure authentication option. For Azure services, the most secure authentication is [managed identities](/entra/identity/managed-identities-azure-resources/overview).
+We recommend using the most secure authentication option. For Azure services, the most secure authentication is [managed identities](/entra/identity/managed-identities-azure-resources/overview).
 
 Avoid Resource Owner Password Credentials Grant because it:
 
diff --git a/aspnetcore/tutorials/first-mvc-app/search.md b/aspnetcore/tutorials/first-mvc-app/search.md
@@ -4,7 +4,7 @@ author: wadepickett
 description: Part 7 of tutorial series on ASP.NET Core MVC.
 monikerRange: '>= aspnetcore-3.1'
 ms.author: wpickett
-ms.date: 07/24/2024
+ms.date: 01/26/2025
 uid: tutorials/first-mvc-app/search
 ---
 
@@ -98,7 +98,7 @@ The following image shows the Chrome browser Developer tools with the **Network*
 
 The **Network** and **Payload** tabs are selected to view form data:
 
-![Network and Payload tabs of Chrome browser Developer Tools showing form data](~/tutorials/first-mvc-app/search/_static/9/f12_general90.png)
+![Network and Payload tabs of Chrome browser Developer Tools showing form data](~/tutorials/first-mvc-app/search/_static/9/f12_form90.png)
 
 You can see the search parameter and [XSRF](xref:security/anti-request-forgery) token in the request body. Note, as mentioned in the previous tutorial, the [Form Tag Helper](xref:mvc/views/working-with-forms) generates an [XSRF](xref:security/anti-request-forgery) antiforgery token. We're not modifying data, so we don't need to validate the token in the controller method.
 
