Emit antiforgery only when streaming

Author: javiercn

src/Components/Endpoints/src/Forms/EndpointAntiforgeryStateProvider.cs

@@ -10,10 +10,12 @@ namespace Microsoft.AspNetCore.Components.Endpoints.Forms;
 internal class EndpointAntiforgeryStateProvider(IAntiforgery antiforgery) : DefaultAntiforgeryStateProvider()
 {
     private HttpContext? _context;
+    private bool _canGenerateToken;
 
     internal void SetRequestContext(HttpContext context)
     {
         _context = context;
+        _canGenerateToken = true;
     }
 
     public override AntiforgeryRequestToken? GetAntiforgeryToken()
@@ -24,17 +26,23 @@ internal void SetRequestContext(HttpContext context)
             return _currentToken;
         }
 
-        // We already have a callback setup to generate the token when the response starts if needed.
-        // If we need the tokens before we start streaming the response, we'll generate and store them;
-        // otherwise we'll just retrieve them.
-        // In case there are no tokens available, we are going to return null and no-op.
-        var tokens = !_context.Response.HasStarted ? antiforgery.GetAndStoreTokens(_context) : antiforgery.GetTokens(_context);
-        if (tokens.RequestToken is null)
+        if (_currentToken == null && _canGenerateToken)
         {
-            return null;
+            // We already have a callback setup to generate the token when the response starts if needed.
+            // If we need the tokens before we start streaming the response, we'll generate and store them;
+            // otherwise we'll just retrieve them.
+            // In case there are no tokens available, we are going to return null and no-op.
+            var tokens = !_context.Response.HasStarted ? antiforgery.GetAndStoreTokens(_context) : antiforgery.GetTokens(_context);
+            if (tokens.RequestToken is null)
+            {
+                return null;
+            }
+
+            _currentToken = new AntiforgeryRequestToken(tokens.RequestToken, tokens.FormFieldName);
         }
 
-        _currentToken = new AntiforgeryRequestToken(tokens.RequestToken, tokens.FormFieldName);
         return _currentToken;
     }
+
+    internal void DisableTokenGeneration() => _canGenerateToken = false;
 }

src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs

@@ -6,7 +6,9 @@
 using System.Text;
 using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Components.Endpoints.Forms;
 using Microsoft.AspNetCore.Components.Endpoints.Rendering;
+using Microsoft.AspNetCore.Components.Forms;
 using Microsoft.AspNetCore.Components.Infrastructure;
 using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.Http;
@@ -135,8 +137,17 @@ await _renderer.InitializeStandardComponentServicesAsync(
             var bufferingFeature = context.Features.GetRequiredFeature<IHttpResponseBodyFeature>();
             bufferingFeature.DisableBuffering();
 
+            // Store the tokens if not emitted already in case we stream a form in the response.
+            antiforgery!.GetAndStoreTokens(context);
+
             context.Response.Headers.ContentEncoding = "identity";
         }
+        else
+        {
+            // Disable token generation on EndpointAntiforgeryStateProvider if we are not streaming.
+            var provider = (EndpointAntiforgeryStateProvider)context.RequestServices.GetRequiredService<AntiforgeryStateProvider>();
+            provider.DisableTokenGeneration();
+        }
 
         // Importantly, we must not yield this thread (which holds exclusive access to the renderer sync context)
         // in between the first call to htmlContent.WriteTo and the point where we start listening for subsequent
@@ -146,8 +157,6 @@ await _renderer.InitializeStandardComponentServicesAsync(
 
         if (!quiesceTask.IsCompletedSuccessfully)
         {
-            // We need to ensure that the antiforgery tokens are generated and stored in the response
-            antiforgery!.GetAndStoreTokens(context);
             await _renderer.SendStreamingUpdatesAsync(context, quiesceTask, bufferWriter);
         }
         else