Confusing information

[josufh]

Description

In this section:

Antiforgery middleware is added...

is confusing. Me and my coworker thought that calling AddRazorComponents added the middleware as well and we were trying to troubleshoot the app for a long time, even after adding UseAntiforgery manually were confused. Experienced programmers might understand that the middleware is the developer's responsibility but people new to ASP.NET might find this information confusing.

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/anti-request-forgery.md

Document ID

bffca13c-223f-c61f-9cb2-9da8811eecfa

Platform Id

a2883bdf-f8ff-d4f0-ef3e-413f88c39bd2

Article author

@tdykstra

Metadata

• ID: 47b14f57-82ac-a2e2-cbc7-22a81a60f4ac
• PlatformId: a2883bdf-f8ff-d4f0-ef3e-413f88c39bd2
• Service: aspnet-core
• Sub-service: security

Related Issues

[guardrex]

Hello @josufh ... I'll provide a little context for Blazor apps, and then @tdykstra will see if modifying the article makes sense. Tom takes are of this particular article.

Calling AddRazorComponents adds the Antiforgery Middleware (AddAntiforgery) to the app ...

https://github.com/dotnet/aspnetcore/blob/main/src/Components/Endpoints/src/DependencyInjection/RazorComponentsServiceCollectionExtensions.cs#L42

... and that's what the article states. The Blazor article has more detail on how UseAntiforgery is called in the Blazor project template to add antiforgery to the request processing pipeline ...

• https://github.com/dotnet/aspnetcore/blob/main/src/ProjectTemplates/Web.ProjectTemplates/content/BlazorWeb-CSharp/BlazorWebCSharp.1/Program.cs#L108
• https://learn.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-9.0&tabs=visual-studio#antiforgery-support

That second point is missing in the main doc set's article. At least currently, the main doc set article links over to that section in the Blazor article that explains it.

It's only super clear in the section on Minimal APIs that one has to take the further step of calling UseAntiforgery ...

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-9.0#antiforgery-with-minimal-apis

Tom, I think the article could probably use something similar WRT Blazor. I think you can take (or take+modify) what's in the Blazor section and inject it here somewhere that makes sense (a new section?), possibly with another cross-link to the Blazor article if the (new section?) doesn't explain it all out to the degree that the Blazor article explains it. Dan is asking for these main doc set articles to have more focus on Blazor scenarios, so should most/all of what's in the Blazor article should come over to the main doc set article? Perhaps so 🤔.

[josufh]

Thank you for the clear explanation @guardrex !

[guardrex]

Sure thing, @josufh. Thanks for the issue.

Tom ... one further thought WRT what the Blazor article keeps after modifying the main doc set article. Perhaps, all of what's in the Blazor article comes over here. Then, the Blazor article just keeps a very short section that directs the reader to the main doc set article for details. That's just in case someone ends up over there looking for the guidance and doesn't see it. I guess it could be a section in the Blazor article or even just an additional resource cross-link at the bottom.

[wadepickett]

@tdykstra, FYI, see discussion.