Skip to content

Preserve antiforgery token #64806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ilonatommy wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Preserve antiforgery token #64806

ilonatommy wants to merge 1 commit into from
+3 −1

Conversation

@ilonatommy
Copy link
Member

@ilonatommy ilonatommy commented Dec 17, 2025

Fix antiforgery token trimming in Blazor WebAssembly prerendering

Add DynamicDependency attributes to prevent IL trimming of antiforgery type.

Description

When a Blazor WebAssembly app with Individual Identity authentication is published with PublishTrimmed=true, the antiforgery token persisted during SSR is not restored during the SSR-to-WASM handoff. This causes the <AntiforgeryToken> component to render nothing in interactive mode, breaking form submissions.

Root cause: The IL trimmer removes DefaultAntiforgeryStateProvider.CurrentToken property and AntiforgeryRequestToken constructor because they're only accessed via reflection by the persistent state system.

Fix: Add [DynamicDependency(JsonSerialized, typeof(...))] attributes on WebAssemblyHostBuilder.InitializeDefaultServices() to preserve:

  • DefaultAntiforgeryStateProvider - ensures the [PersistentState] CurrentToken property is preserved
  • AntiforgeryRequestToken - ensures the constructor and properties are preserved for JSON deserialization

Known workarounds:

<linker>
	<!--  AntiforgeryRequestToken deserialization issues  -->
	<assembly fullname="Microsoft.AspNetCore.Components.Web">
		<type fullname="Microsoft.AspNetCore.Components.Forms.AntiforgeryRequestToken" preserve="all"/>
	</assembly>
	<assembly fullname="Microsoft.AspNetCore.Components.WebAssembly">
		<type fullname="Microsoft.AspNetCore.Components.Forms.DefaultAntiforgeryStateProvider" preserve="all"/>
	</assembly>
</linker>

Fixes #64693

@ilonatommy ilonatommy requested a review from a team as a code owner December 17, 2025 17:19
Copilot AI review requested due to automatic review settings December 17, 2025 17:19
@github-actions github-actions bot added the area-blazor Includes: Blazor, Razor Components label Dec 17, 2025
@ilonatommy ilonatommy self-assigned this Dec 17, 2025
@ilonatommy ilonatommy requested a review from javiercn December 17, 2025 17:24
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a critical trimming issue in Blazor WebAssembly applications with Individual Identity authentication. When published with PublishTrimmed=true, the antiforgery token state was being lost during the SSR-to-WASM handoff, causing form submissions to break. The fix adds DynamicDependency attributes to preserve the necessary types from IL trimming.

Key changes:

  • Added [DynamicDependency(JsonSerialized, typeof(DefaultAntiforgeryStateProvider))] to preserve the CurrentToken property marked with [PersistentState]
  • Added [DynamicDependency(JsonSerialized, typeof(AntiforgeryRequestToken))] to preserve the constructor and properties for JSON deserialization
  • These attributes are placed on InitializeDefaultServices() method, following the established pattern used elsewhere in the codebase

src/Components/WebAssembly/WebAssembly/src/Hosting/WebAssemblyHostBuilder.cs
return new WebAssemblyHost(this, services, scope, _persistedState);
}


Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line contains trailing whitespace. According to the .editorconfig, trailing whitespace should be trimmed.

Suggested change

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@javiercn javiercn javiercn approved these changes

Assignees

@ilonatommy ilonatommy

Labels

area-blazor Includes: Blazor, Razor Components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PersistentStateAttribute not working in Blazor when server and client have different trimming settings

2 participants

@ilonatommy @javiercn