Description
This issue has been moved from a ticket on Developer Community.
[severity:It bothers me. A fix would be nice]
Problem: [Error 400][A valid antiforgery token was not provided with the request. Add an antiforgery token, or disable antiforgery validation for this endpoint] for a static SSR page, related to the constant antiforgery token update, if the redirect was from another domain.
I created a new default project BWA i-auto (i(nteractive)-server & i-wasm) + "include sample pages" in the latest VS 17.11.4 . I am attaching the project BlazorApp2.7z, it is a default + one simple test page (/test) with an edit form only.
If you open the /test page in a new tab and click submit - then the page works;
Then if you open another /weather (sr-s-SSR=streaming rendering static SSR) page in a new tab from another domain - the previous page immediately gives 400 when submitting the form. (demonstrated in the video bandicam 2024-10-06 13-32-03-490.mp4)
The problem is that the antiforgery token is updated if the redirect was to a new tab from another domain (demonstrated in the video bandicam 2024-10-06 13-48-18-096.mp4). The server IIS logs contain a new AF-token only for the last POST request to which the server responded with a 400 error.
If you repeat this situation with opening the /weather page in a new tab with manual input of the url - then there is no such problem.
Is this a bug or some kind of Blazor technology issue for static pages? Can MS solve it?
The sample is temporarily deployed blazorapp220241005182634.azurewebsites.net
Possible workaround 1 for a s-SSR page: So far I see this workround:
Use a js function that will check that the AF-token has not changed after loading the page and pressing the submit button. If it has changed, refresh the page (the AF-token will be updated automatically) or first ask the user to confirm that the page should be refreshed.
But af-token cannot be read from cookies by design as "Httponly cookies' purpose is being inaccessible by script."
The question: How to find out with JavaScript that the AF-token has changed (a boolean sign is enough)?
Possible workaround 2 for a s-SSR page:
When pages (like /weather) load, they detect that the token has changed and write the current timestamp to the browser's local storage. The test page, when a button is pressed, will detect that the state has changed (compare the timestamps via JS).
The question: How to find out with C# (OnInitializedAsync) that the AF-token has changed (a boolean sign is enough)?
Original Comments
Feedback Bot on 10/7/2024, 08:21 PM:
We have directed your feedback to the appropriate engineering team for further evaluation. The team will review the feedback and notify you about the next steps.