Context

I've noticed that after creating a new ASP.NET Core Razor page application in VS 2019 from its out of the box template, even the purest html form with the purest model class renders output with <input name="__RequestVerificationToken" type="hidden" value="...">

Question

Am I missing something and there is somewhere an explicit attribute/statement which instructs ASP.NET Core to add anti forgery or now this is the default? (which makes using [AutoValidateAntiforgeryToken] obsolete)

...or...

It is just the <input name="__RequestVerificationToken" type="hidden" value="..."> which is rendered always unconditionally and with the [AutoValidateAntiforgeryToken]I can turn on the server side validation against it? This case how can I smoke test if validation is in effect or not?

Sample Code

@page
@model TestFormModel
@{
    ViewData["Title"] = "Home page";
}

<div >
    <form method="post">
        <input type="text" name="myinput"/>
        <input type="submit" value="Submit" />
    </form>
</div>

//[AutoValidateAntiforgeryToken]
public class TestFormModel : PageModel
{
    private readonly ILogger<TestFormModel> _logger;

    public TestFormModel(ILogger<TestFormModel> logger)
    {
        _logger = logger;
    }

    public void OnGet()
    {

    }

    public void OnPost()
    {

    }
}

CodePudding user response：

Previously in .NET Framework versions of ASP.NET you did have to opt-in to anti-forgery token usually with an attribute.

[ValidateAntiForgeryToken]
public ActionResult Save(Product product)
{
  db.Product.Add(product);
  Return View();
}

In ASPNET Core this automagically included in the Form Tag Helper. So any time your CSHTML includes a FORM element, the hidden field is included for you by the ASPNET Core runtime.

The basis for including this by default is the mantra of "Convention over configuration". By convention, 80 % of developers would opt to protect their application against CSRF attacks. If you wish to go against the convention, you can find the option to opt out in the conventions helper in the ConfigureServices portion of your Startup class.

public void ConfigureServices(IServiceCollection services)
{
    services.AddRazorPages()
            .AddRazorPagesOptions(options =>
            {
                options.Conventions
                       .ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
            });
}

This blog post goes in further detail specific to Razor Pages, options and usage scenarios.

Update - Response to comment

If you read the a code, you may notice that there is no taghelper. – g.pickardou

There is indeed a tag helper. In a new Razor Pages project template you can find the tag helpers are included in the _ViewImports.cshtml file here:

@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

We can validate that your <form /> element, as written in the OP is invoking an ASP.NET tag helper as follows:

    <form method="post">
        <input type="text" name="myinput"/>
        <input type="submit" value="Submit" />
    </form>

If we inspect the page source on this, you will see the result

<form method="post">
    <input type="text" name="myinput" />
    <input type="submit" value="Submit" />
<input name="__RequestVerificationToken" type="hidden" value="{{token}}" />
</form>

Now, if we use the syntax to opt out of individual tag helpers

<!form method="post">
    <input type="text" name="myinput" />
    <input type="submit" value="Submit" />
</!form>

And again inspect the page source we can clearly see we have explicitly opted out of this tag helper.

<form method="post">
    <input type="text" name="myinput" />
    <input type="submit" value="Submit" />
</form>