在ASP.NET Core中禁用请求验证令牌

时间:2020-02-28 07:21:53

标签: asp.net-core asp.net-core-mvc

ASP.NET Core MVC似乎以我所有的形式注入了请求验证令牌:

<form class="actions" method="post">
    <input type="submit" class="btn btn-primary" value="Yes">
    <a class="btn btn-secondary" href="/some/url">No</a>
    <input name="__RequestVerificationToken" type="hidden" value="...">
</form>

我正在Ajax中处理CSRF,并且不希望所有表单中都包含这个额外的input元素。有办法禁用它吗?

即使不调用AddAntiforgery中的Startup.cs,也会添加元素。我正在ASP.NET Core 3.1上运行。

3 个答案:

答案 0 :(得分:1)

在Startup.ConfigureServices中调用以下API之一时,Antiforgery中间件将添加到Dependency注入容器中:

AddMvc
MapRazorPages
MapControllerRoute
MapBlazorHub

详细信息,请检查此document

要禁用它,请尝试下面的IgnoreAntiforgeryToken属性

[Authorize]
[AutoValidateAntiforgeryToken]
public class ManageController : Controller
{
    [HttpPost]
    [IgnoreAntiforgeryToken]
    public async Task<IActionResult> DoSomethingSafe(SomeViewModel model)
    {
        // no antiforgery token required
    }
}

可以找到详细信息here

答案 1 :(得分:0)

我只是想说,{ "name": "[parameters('topicName')]", "type": "Microsoft.EventGrid/topics", "location": "[resourceGroup().location]", "apiVersion": "2018-01-01", "properties": { } }, { "name": "[concat(parameters('topicName'), '/Microsoft.EventGrid/', variables('topicSubscriptionName'))]", "type": "Microsoft.EventGrid/topics/providers/eventSubscriptions", "location": "[resourceGroup().location]", "apiVersion": "2018-01-01", "properties": { "destination": { "endpointType": "WebHook", "properties": { "endpointUrl": "[listCallbackURL(resourceId('Microsoft.Logic/workflows/triggers', parameters('logicName'), 'WorkaroundWebhookTrigger'), '2016-06-01').value]" } }, "filter": { "includedEventTypes": [ "All" ] } }, "dependsOn": [ "[parameters('topicName')]", "[parameters('logicName')]" ] }, { "apiVersion": "2016-06-01", "type": "Microsoft.logic/workflows", "name": "[parameters('logicName')]", "location": "[resourceGroup().location]", "identity": { "type": "SystemAssigned" }, "dependsOn": [], "properties": { "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { "$connections": { "defaultValue": {}, "type": "Object" } }, "triggers": { "WorkaroundWebhookTrigger": { "type": "Request", "kind": "Http", "inputs": { "schema": { "properties": { "data": { "properties": { "lorem": { "type": "integer" }, "ipsum": { "type": "string" } }, "type": "object" }, "dataVersion": { "type": "string" }, "eventTime": { "type": "string" }, "eventType": { "type": "string" }, "id": { "type": "string" }, "metadataVersion": { "type": "string" }, "subject": { "type": "string" }, "topic": { "type": "string" } }, "type": "object" } } } }, <snip> 可以用于在必要时对某些操作禁用全局[IgnoreAntiforgeryToken]

[AutoValidateAntiForgeryToken]

答案 2 :(得分:0)

令牌由 Form Tag Helper 附加。如果您不需要 Tag Helper 的其他功能,可以使用 @removeTagHelper 将其删除(在视图中或通过添加到 _ViewImports.cshtml 全局):

@removeTagHelper Microsoft.AspNetCore.Mvc.TagHelpers.FormTagHelper, Microsoft.AspNetCore.Mvc.TagHelpers

有关更多详细信息/选项,请参阅 ASP.NET Core documentation

相关问题
最新问题