Skip to content

Preserve antiforgery token #64806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ilonatommy merged 3 commits into from
Dec 19, 2025
Merged

Preserve antiforgery token #64806

ilonatommy merged 3 commits into from
Dec 19, 2025
+2 −0

Conversation

@ilonatommy
Copy link
Member

@ilonatommy ilonatommy commented Dec 17, 2025

Fix antiforgery token trimming in Blazor WebAssembly prerendering

Add DynamicDependency attributes to prevent IL trimming of antiforgery type.

Description

When a Blazor WebAssembly app with Individual Identity authentication is published with PublishTrimmed=true, the antiforgery token persisted during SSR is not restored during the SSR-to-WASM handoff. This causes the <AntiforgeryToken> component to render nothing in interactive mode, breaking form submissions.

Root cause: The IL trimmer removes DefaultAntiforgeryStateProvider.CurrentToken property and AntiforgeryRequestToken constructor because they're only accessed via reflection by the persistent state system.

Fix: Add [DynamicDependency(JsonSerialized, typeof(...))] attributes on WebAssemblyHostBuilder.InitializeDefaultServices() to preserve:

  • DefaultAntiforgeryStateProvider - ensures the [PersistentState] CurrentToken property is preserved
  • AntiforgeryRequestToken - ensures the constructor and properties are preserved for JSON deserialization

Known workarounds:

<linker>
	<!--  AntiforgeryRequestToken deserialization issues  -->
	<assembly fullname="Microsoft.AspNetCore.Components.Web">
		<type fullname="Microsoft.AspNetCore.Components.Forms.AntiforgeryRequestToken" preserve="all"/>
	</assembly>
	<assembly fullname="Microsoft.AspNetCore.Components.WebAssembly">
		<type fullname="Microsoft.AspNetCore.Components.Forms.DefaultAntiforgeryStateProvider" preserve="all"/>
	</assembly>
</linker>

Fixes #64693

@ilonatommy ilonatommy requested a review from a team as a code owner December 17, 2025 17:19
Copilot AI review requested due to automatic review settings December 17, 2025 17:19
@github-actions github-actions bot added the area-blazor Includes: Blazor, Razor Components label Dec 17, 2025
@ilonatommy ilonatommy self-assigned this Dec 17, 2025
@ilonatommy ilonatommy requested a review from javiercn December 17, 2025 17:24
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a critical trimming issue in Blazor WebAssembly applications with Individual Identity authentication. When published with PublishTrimmed=true, the antiforgery token state was being lost during the SSR-to-WASM handoff, causing form submissions to break. The fix adds DynamicDependency attributes to preserve the necessary types from IL trimming.

Key changes:

  • Added [DynamicDependency(JsonSerialized, typeof(DefaultAntiforgeryStateProvider))] to preserve the CurrentToken property marked with [PersistentState]
  • Added [DynamicDependency(JsonSerialized, typeof(AntiforgeryRequestToken))] to preserve the constructor and properties for JSON deserialization
  • These attributes are placed on InitializeDefaultServices() method, following the established pattern used elsewhere in the codebase

@ilonatommy ilonatommy enabled auto-merge (squash) December 18, 2025 14:20
@ilonatommy ilonatommy disabled auto-merge December 18, 2025 14:23
@build-analysis build-analysis bot mentioned this pull request Dec 18, 2025
Open
@ilonatommy ilonatommy merged commit 27d0e0a into dotnet:main Dec 19, 2025
25 checks passed
@dotnet-policy-service dotnet-policy-service bot added this to the 11.0-preview1 milestone Dec 19, 2025
@javiercn
Copy link
Member

javiercn commented Dec 19, 2025

Let's make sure we update our manual tests to add coverage for this in the future.

@javiercn
Copy link
Member

javiercn commented Dec 19, 2025

/backport to release/10.0

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025

Started backporting to release/10.0 (link to workflow run)

@github-actions github-actions bot mentioned this pull request Dec 19, 2025
Open
10 tasks
@dotnet-maestro dotnet-maestro bot mentioned this pull request Dec 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@javiercn javiercn javiercn approved these changes

Assignees

@ilonatommy ilonatommy

Labels

area-blazor Includes: Blazor, Razor Components

Projects

None yet

Milestone

11.0-preview1

Development

Successfully merging this pull request may close these issues.

PersistentStateAttribute not working in Blazor when server and client have different trimming settings

2 participants

@ilonatommy @javiercn