Support disabling antiforgery

Author: javiercn

src/Antiforgery/src/IAntiforgeryMetadata.cs

@@ -0,0 +1,15 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Antiforgery.Infrastructure;
+
+/// <summary>
+/// A marker interface which can be used to identify antiforgery metadata.
+/// </summary>
+public interface IAntiforgeryMetadata
+{
+    /// <summary>
+    /// Gets a value indicating whether the antiforgery token should be validated.
+    /// </summary>
+    bool Required { get; }
+}

src/Antiforgery/src/PublicAPI.Unshipped.txt

@@ -1 +1,6 @@
 #nullable enable
+Microsoft.AspNetCore.Antiforgery.Infrastructure.IAntiforgeryMetadata
+Microsoft.AspNetCore.Antiforgery.Infrastructure.IAntiforgeryMetadata.Required.get -> bool
+Microsoft.AspNetCore.Antiforgery.RequireAntiforgeryTokenAttribute
+Microsoft.AspNetCore.Antiforgery.RequireAntiforgeryTokenAttribute.RequireAntiforgeryTokenAttribute(bool required = true) -> void
+Microsoft.AspNetCore.Antiforgery.RequireAntiforgeryTokenAttribute.Required.get -> bool

src/Antiforgery/src/RequireAntiforgeryTokenAttribute.cs

@@ -0,0 +1,23 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Antiforgery.Infrastructure;
+
+namespace Microsoft.AspNetCore.Antiforgery;
+
+/// <summary>
+/// An attribute that can be used to indicate whether the antiforgery token must be validated.
+/// </summary>
+/// <param name="required">A value indicating whether the antiforgery token should be validated.</param>
+[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+public class RequireAntiforgeryTokenAttribute(bool required = true) : Attribute, IAntiforgeryMetadata
+{
+    /// <summary>
+    /// Gets or sets a value indicating whether the antiforgery token should be validated.
+    /// </summary>
+    /// <remarks>
+    /// Defaults to <see langword="true"/>; <see langword="false"/> indicates that
+    /// the validation check for the antiforgery token can be avoided.
+    /// </remarks>
+    public bool Required { get; } = required;
+}

src/Components/Components/src/Rendering/RenderTreeBuilder.cs

@@ -972,19 +972,11 @@ public void Dispose()
                     // Walk backwards to find pairs of onsubmit and @onsubmit:name
                     // and stop the first time we find an element or component frame.
                     ref var attributeFrame = ref _entries.Buffer[j];
-                    if (attributeFrame.FrameType == RenderTreeFrameType.Component)
+                    if (attributeFrame.FrameType != RenderTreeFrameType.Attribute)
                     {
-                        // If we were processing a component, ignore the values
-                        // as this feature is only for HTML elements.
-                        submitHanderNameIndex = -1;
-                        submitHandlerIndex = -1;
-                        break;
-                    }
-                    else if (attributeFrame.FrameType == RenderTreeFrameType.Element)
-                    {
-                        // We are at the end of the elements sequence
                         break;
                     }
+
                     if (string.Equals(attributeFrame.AttributeName, "onsubmit", StringComparison.Ordinal))
                     {
                         submitHandlerIndex = j;

src/Components/Endpoints/src/Builder/RazorComponentEndpointFactory.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Components.Discovery;
 using Microsoft.AspNetCore.Http;
@@ -30,6 +31,9 @@ internal void AddEndpoints(
             RoutePatternFactory.Parse(pageDefinition.Route),
             order: 0);
 
+        // Require antiforgery by default, let the page override it.
+        builder.Metadata.Add(new RequireAntiforgeryTokenAttribute());
+
         // All attributes defined for the type are included as metadata.
         foreach (var attribute in pageDefinition.Metadata)
         {

src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs

@@ -7,6 +7,7 @@
 using System.Text;
 using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Antiforgery.Infrastructure;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.DependencyInjection;
@@ -38,8 +39,12 @@ private async Task RenderComponentCore()
         _context.Response.ContentType = RazorComponentResultExecutor.DefaultContentType;
         _renderer.InitializeStreamingRenderingFraming(_context);
 
+        // Metadata controls whether we require antiforgery protection for this endpoint or we should skip it.
+        // The default for razor component endpoints is to require the metadata, but it can be overriden by
+        // the developer.
+        var antiforgeryMetadata = _context.GetEndpoint()!.Metadata.GetMetadata<IAntiforgeryMetadata>();
         var antiforgery = _context.RequestServices.GetRequiredService<IAntiforgery>();
-        var (valid, isPost, handler) = await ValidateRequestAsync(antiforgery);
+        var (valid, isPost, handler) = await ValidateRequestAsync(antiforgeryMetadata?.Required == true ? antiforgery : null);
         if (!valid)
         {
             // If the request is not valid we've already set the response to a 400 or similar
@@ -51,7 +56,7 @@ private async Task RenderComponentCore()
         {
             // Generate the antiforgery tokens before we start streaming the response, as it needs
             // to set the cookie header.
-            antiforgery.GetAndStoreTokens(_context);
+            antiforgery!.GetAndStoreTokens(_context);
             return Task.CompletedTask;
         });
 
@@ -101,12 +106,12 @@ await EndpointHtmlRenderer.InitializeStandardComponentServicesAsync(
         await writer.FlushAsync();
     }
 
-    private async Task<RequestValidationState> ValidateRequestAsync(IAntiforgery antiforgery)
+    private async Task<RequestValidationState> ValidateRequestAsync(IAntiforgery? antiforgery)
     {
         var isPost = HttpMethods.IsPost(_context.Request.Method);
         if (isPost)
         {
-            var valid = await antiforgery.IsRequestValidAsync(_context);
+            var valid = antiforgery == null || await antiforgery.IsRequestValidAsync(_context);
             if (!valid)
             {
                 _context.Response.StatusCode = StatusCodes.Status400BadRequest;

src/Components/test/E2ETest/ServerRenderingTests/FormHandlingTests/FormWithParentBindingContextTest.cs

@@ -712,6 +712,21 @@ public void FormNoAntiforgeryReturnBadRequest(bool suppressEnhancedNavigation)
         DispatchToFormCore(dispatchToForm);
     }
 
+    [Theory]
+    [InlineData(true)]
+    [InlineData(false)]
+    public void FormAntiforgeryCheckDisabledOnPage(bool suppressEnhancedNavigation)
+    {
+        var dispatchToForm = new DispatchToForm(this)
+        {
+            Url = "forms/disable-antiforgery-check",
+            FormCssSelector = "form",
+            ExpectedActionValue = null,
+            SuppressEnhancedNavigation = suppressEnhancedNavigation,
+        };
+        DispatchToFormCore(dispatchToForm);
+    }
+
     [Fact]
     public void FormCanAddAntiforgeryAfterTheResponseHasStarted()
     {

src/Components/test/testassets/Components.TestServer/RazorComponents/Pages/Forms/FormDisableAntiforgery.razor

@@ -0,0 +1,19 @@
+@page "/forms/disable-antiforgery-check"
+@attribute [RequireAntiforgeryToken(false)]
+@using Microsoft.AspNetCore.Antiforgery;
+@using Microsoft.AspNetCore.Components.Forms
+
+<h2>Default form</h2>
+
+<ActionForm OnSubmit="() => _submitted = true" >
+    <input id="send" type="submit" value="Send" />
+</ActionForm>
+
+@if (_submitted)
+{
+    <p id="pass">Form submitted!</p>
+}
+
+@code{
+    bool _submitted = false;
+}