Skip to content

[release/10.0] Preserve antiforgery token #64819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 3 commits into
base: release/10.0
Choose a base branch
from
Open

[release/10.0] Preserve antiforgery token #64819

github-actions wants to merge 3 commits into from
+2 −0

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 19, 2025
edited by ilonatommy
Loading

Backport of #64806 to release/10.0

/cc @javiercn @ilonatommy

Preserve antiforgery token

Fix antiforgery token trimming in Blazor WebAssembly prerendering

Description

When a Blazor WebAssembly app with Individual Identity authentication is published with PublishTrimmed=true, the antiforgery token persisted during SSR is not restored during the SSR-to-WASM handoff. This causes the <AntiforgeryToken> component to render nothing in interactive mode, breaking form submissions.

Root cause: The IL trimmer removes DefaultAntiforgeryStateProvider.CurrentToken property and AntiforgeryRequestToken constructor because they're only accessed via reflection by the persistent state system.

Fix: Add [DynamicDependency(JsonSerialized, typeof(...))] attributes on WebAssemblyHostBuilder.InitializeDefaultServices() to preserve:

  • DefaultAntiforgeryStateProvider - ensures the [PersistentState] CurrentToken property is preserved
  • AntiforgeryRequestToken - ensures the constructor and properties are preserved for JSON deserialization

Fixes #64693

Customer Impact

Customers publishing Blazor WebAssembly apps with Individual Identity authentication experience is broken form submissions because the antiforgery token is not properly restored after SSR-to-WASM handoff. This is a critical issue affecting production deployments with trimming enabled.

Regression?

  • Yes
  • No

Regressed from .NET 9. In .NET 9, the antiforgery token was retrieved using PersistentComponentState. In .NET 10, it was changed to use the [PersistentState] attribute on DefaultAntiforgeryStateProvider.CurrentToken. The new declarative model for persisting state causes the IL trimmer to remove the necessary types since they're only accessed via reflection.

Risk

  • High
  • Medium
  • Low

The fix adds DynamicDependency attributes to preserve specific types from IL trimming. This is a minimal, targeted change following established patterns already used elsewhere in the codebase. It only affects the trimmer behavior and has no runtime logic changes.

Verification

  • Manual (required)
  • Automated

Manual testing with a Blazor WebAssembly app using Individual Identity authentication to verify form submissions work correctly.

Packaging changes reviewed?

  • Yes
  • No
  • N/A

No packaging changes in this PR.

Existing workarounds

<linker>
	<!--  AntiforgeryRequestToken deserialization issues  -->
	<assembly fullname="Microsoft.AspNetCore.Components.Web">
		<type fullname="Microsoft.AspNetCore.Components.Forms.AntiforgeryRequestToken" preserve="all"/>
	</assembly>
	<assembly fullname="Microsoft.AspNetCore.Components.WebAssembly">
		<type fullname="Microsoft.AspNetCore.Components.Forms.DefaultAntiforgeryStateProvider" preserve="all"/>
	</assembly>
</linker>

@github-actions github-actions bot requested a review from a team as a code owner December 19, 2025 10:23
@ilonatommy ilonatommy self-assigned this Dec 19, 2025
@ilonatommy ilonatommy added the area-blazor Includes: Blazor, Razor Components label Dec 19, 2025
@ilonatommy ilonatommy added this to the 10.0.x milestone Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ilonatommy ilonatommy

Labels

area-blazor Includes: Blazor, Razor Components

Projects

None yet

Milestone

10.0.x

Development

Successfully merging this pull request may close these issues.

2 participants

@ilonatommy